lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <406BE41A.7020506@oucs.ox.ac.uk>
Date: Thu, 01 Apr 2004 10:42:50 +0100
From: Ivaylo Kostadinov <ivaylo.kostadinov@...puting-services.oxford.ac.uk>
To: bugtraq@...urityfocus.com
Cc: webappsec@...urityfocus.com
Subject: Re: Google using Expired Cert and SSLv2


It seems you caught them just before they updated it.

Now it is v3 and valid from yesterday:

---
Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 4063034 (0x3dff3a)
         Signature Algorithm: md5WithRSAEncryption
         Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting 
cc, OU=Certification Services Division, CN=Thawte Server 
CA/emailAddress=server-certs@...wte.com
         Validity
             Not Before: Mar 31 20:09:01 2004 GMT
             Not After : Mar 31 18:52:39 2005 GMT
         Subject: C=US, ST=California, L=Mountain View, O=Google Inc, 
CN=www.google.com
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
             RSA Public Key: (1024 bit)
                 Modulus (1024 bit):
                     00:ce:88:dc:7e:9a:fa:8b:5d:24:7d:f1:4a:ea:fb:
                     a8:4a:33:9d:9c:ef:22:c9:4d:2f:ac:a0:d3:86:05:
                     4f:d1:bb:cb:26:a6:f4:93:b4:43:aa:a9:28:b7:71:
                     cf:a4:47:f1:c3:20:41:2d:d4:8a:1c:20:bd:6f:8a:
                     f0:9d:a4:ea:70:65:5d:10:e3:ea:7d:d2:b9:87:f4:
                     1e:71:60:23:75:60:49:0d:4c:c0:0e:d9:91:d2:3f:
                     49:74:3f:6c:bf:a1:56:46:1f:99:e6:16:33:02:4e:
                     06:b6:54:81:58:de:7e:2e:69:1b:f4:76:85:40:46:
                     b3:fe:19:33:26:8c:fb:89:ad
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Extended Key Usage:
                 TLS Web Server Authentication, TLS Web Client 
Authentication, Netscape Server Gated Crypto
             X509v3 CRL Distribution Points:
                 URI:http://crl.thawte.com/ThawteServerCA.crl

             Authority Information Access:
                 OCSP - URI:http://ocsp.thawte.com

             X509v3 Basic Constraints: critical
                 CA:FALSE
     Signature Algorithm: md5WithRSAEncryption
         34:eb:5f:20:b9:ec:d0:4f:8c:61:b8:37:9b:cc:3f:f4:6a:e8:
         39:c9:f9:43:22:13:63:91:6e:ab:52:21:2c:8a:26:33:a3:bc:
         02:dc:c3:85:21:04:8d:61:1f:f3:0e:13:cc:f4:92:a5:fa:cc:
         37:53:e5:a2:41:88:f1:40:ea:92:0d:3e:21:63:16:6d:a6:5a:
         bc:c2:db:4c:69:ad:c2:a6:6a:26:00:04:9d:5b:9a:12:6f:51:
         b0:b7:df:e6:5e:32:0b:bc:bb:26:02:b8:e9:85:d5:e6:f9:be:
         7c:5a:88:4e:2e:ff:a2:7d:7c:1f:c1:f8:c8:92:d4:34:21:2c:
         71:05
-----BEGIN CERTIFICATE-----
MIIDUDCCArmgAwIBAgIDPf86MA0GCSqGSIb3DQEBBAUAMIHEMQswCQYDVQQGEwJa
QTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xHTAb
BgNVBAoTFFRoYXd0ZSBDb25zdWx0aW5nIGNjMSgwJgYDVQQLEx9DZXJ0aWZpY2F0
aW9uIFNlcnZpY2VzIERpdmlzaW9uMRkwFwYDVQQDExBUaGF3dGUgU2VydmVyIENB
MSYwJAYJKoZIhvcNAQkBFhdzZXJ2ZXItY2VydHNAdGhhd3RlLmNvbTAeFw0wNDAz
MzEyMDA5MDFaFw0wNTAzMzExODUyMzlaMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQI
EwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKEwpH
b29nbGUgSW5jMRcwFQYDVQQDEw53d3cuZ29vZ2xlLmNvbTCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEAzojcfpr6i10kffFK6vuoSjOdnO8iyU0vrKDThgVP0bvL
Jqb0k7RDqqkot3HPpEfxwyBBLdSKHCC9b4rwnaTqcGVdEOPqfdK5h/QecWAjdWBJ
DUzADtmR0j9JdD9sv6FWRh+Z5hYzAk4GtlSBWN5+Lmkb9HaFQEaz/hkzJoz7ia0C
AwEAAaOBqjCBpzAoBgNVHSUEITAfBggrBgEFBQcDAQYIKwYBBQUHAwIGCWCGSAGG
+EIEATA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnRoYXd0ZS5jb20vVGhh
d3RlU2VydmVyQ0EuY3JsMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0
cDovL29jc3AudGhhd3RlLmNvbTAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUA
A4GBADTrXyC57NBPjGG4N5vMP/Rq6DnJ+UMiE2ORbqtSISyKJjOjvALcw4UhBI1h
H/MOE8z0kqX6zDdT5aJBiPFA6pINPiFjFm2mWrzC20xprcKmaiYABJ1bmhJvUbC3
3+ZeMgu8uyYCuOmF1eb5vnxaiE4u/6J9fB/B+MiS1DQhLHEF
-----END CERTIFICATE-----

---



ivaylo











Matthew S. Hamrick wrote:
> http://www.cryptonomicon.net/modules.php?name=News&file=article&sid=729
> 
> Don't know how apropos it is to bugtraq, but I suppose it's relevant to the web
> application security community. It's fairly well known amongst people who use
> SSL to secure portions of their web application that SSL version 2 is "bad."
> It's so bad that a bunch of really smart people went out and created SSL version
> 3. So I was pretty surprised today when I noticed that https://www.google.com/
> is using an expired certificate and SSLv2.
> 
> Guess the moral of the story is: "even the big guys can get it wrong."
> 
> /etc
> Matt H.
> 

-- 


=============================
Ivaylo Kostadinov
GRID Systems Manager
Oxford e-Science Centre
Oxford University
13 Banbury Road
Oxford OX2 6NN

Phone:  +44 1865 273289
Fax:    +44 1865 273275
=============================

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ