<<< Date Index >>>     <<< Thread Index >>>

Re: Google using Expired Cert and SSLv2



It seems you caught them just before they updated it.

Now it is v3 and valid from yesterday:

---
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4063034 (0x3dff3a)
        Signature Algorithm: md5WithRSAEncryption
Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Server CA/emailAddress=server-certs@xxxxxxxxxx
        Validity
            Not Before: Mar 31 20:09:01 2004 GMT
            Not After : Mar 31 18:52:39 2005 GMT
Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=www.google.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:ce:88:dc:7e:9a:fa:8b:5d:24:7d:f1:4a:ea:fb:
                    a8:4a:33:9d:9c:ef:22:c9:4d:2f:ac:a0:d3:86:05:
                    4f:d1:bb:cb:26:a6:f4:93:b4:43:aa:a9:28:b7:71:
                    cf:a4:47:f1:c3:20:41:2d:d4:8a:1c:20:bd:6f:8a:
                    f0:9d:a4:ea:70:65:5d:10:e3:ea:7d:d2:b9:87:f4:
                    1e:71:60:23:75:60:49:0d:4c:c0:0e:d9:91:d2:3f:
                    49:74:3f:6c:bf:a1:56:46:1f:99:e6:16:33:02:4e:
                    06:b6:54:81:58:de:7e:2e:69:1b:f4:76:85:40:46:
                    b3:fe:19:33:26:8c:fb:89:ad
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto
            X509v3 CRL Distribution Points:
                URI:http://crl.thawte.com/ThawteServerCA.crl

            Authority Information Access:
                OCSP - URI:http://ocsp.thawte.com

            X509v3 Basic Constraints: critical
                CA:FALSE
    Signature Algorithm: md5WithRSAEncryption
        34:eb:5f:20:b9:ec:d0:4f:8c:61:b8:37:9b:cc:3f:f4:6a:e8:
        39:c9:f9:43:22:13:63:91:6e:ab:52:21:2c:8a:26:33:a3:bc:
        02:dc:c3:85:21:04:8d:61:1f:f3:0e:13:cc:f4:92:a5:fa:cc:
        37:53:e5:a2:41:88:f1:40:ea:92:0d:3e:21:63:16:6d:a6:5a:
        bc:c2:db:4c:69:ad:c2:a6:6a:26:00:04:9d:5b:9a:12:6f:51:
        b0:b7:df:e6:5e:32:0b:bc:bb:26:02:b8:e9:85:d5:e6:f9:be:
        7c:5a:88:4e:2e:ff:a2:7d:7c:1f:c1:f8:c8:92:d4:34:21:2c:
        71:05
-----BEGIN CERTIFICATE-----
MIIDUDCCArmgAwIBAgIDPf86MA0GCSqGSIb3DQEBBAUAMIHEMQswCQYDVQQGEwJa
QTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xHTAb
BgNVBAoTFFRoYXd0ZSBDb25zdWx0aW5nIGNjMSgwJgYDVQQLEx9DZXJ0aWZpY2F0
aW9uIFNlcnZpY2VzIERpdmlzaW9uMRkwFwYDVQQDExBUaGF3dGUgU2VydmVyIENB
MSYwJAYJKoZIhvcNAQkBFhdzZXJ2ZXItY2VydHNAdGhhd3RlLmNvbTAeFw0wNDAz
MzEyMDA5MDFaFw0wNTAzMzExODUyMzlaMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQI
EwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKEwpH
b29nbGUgSW5jMRcwFQYDVQQDEw53d3cuZ29vZ2xlLmNvbTCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEAzojcfpr6i10kffFK6vuoSjOdnO8iyU0vrKDThgVP0bvL
Jqb0k7RDqqkot3HPpEfxwyBBLdSKHCC9b4rwnaTqcGVdEOPqfdK5h/QecWAjdWBJ
DUzADtmR0j9JdD9sv6FWRh+Z5hYzAk4GtlSBWN5+Lmkb9HaFQEaz/hkzJoz7ia0C
AwEAAaOBqjCBpzAoBgNVHSUEITAfBggrBgEFBQcDAQYIKwYBBQUHAwIGCWCGSAGG
+EIEATA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnRoYXd0ZS5jb20vVGhh
d3RlU2VydmVyQ0EuY3JsMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0
cDovL29jc3AudGhhd3RlLmNvbTAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUA
A4GBADTrXyC57NBPjGG4N5vMP/Rq6DnJ+UMiE2ORbqtSISyKJjOjvALcw4UhBI1h
H/MOE8z0kqX6zDdT5aJBiPFA6pINPiFjFm2mWrzC20xprcKmaiYABJ1bmhJvUbC3
3+ZeMgu8uyYCuOmF1eb5vnxaiE4u/6J9fB/B+MiS1DQhLHEF
-----END CERTIFICATE-----

---



ivaylo











Matthew S. Hamrick wrote:
http://www.cryptonomicon.net/modules.php?name=News&file=article&sid=729

Don't know how apropos it is to bugtraq, but I suppose it's relevant to the web
application security community. It's fairly well known amongst people who use
SSL to secure portions of their web application that SSL version 2 is "bad."
It's so bad that a bunch of really smart people went out and created SSL version
3. So I was pretty surprised today when I noticed that https://www.google.com/
is using an expired certificate and SSLv2.

Guess the moral of the story is: "even the big guys can get it wrong."

/etc
Matt H.


--


=============================
Ivaylo Kostadinov
GRID Systems Manager
Oxford e-Science Centre
Oxford University
13 Banbury Road
Oxford OX2 6NN

Phone:  +44 1865 273289
Fax:    +44 1865 273275
=============================