Google Chrome doesn't want you to visit google.com securely!

DevCentral > Weblogs > Joe Pruitt - A Software Architect's take on Network Security

Google Chrome doesn't want you to visit google.com securely!

posted on Friday, September 05, 2008 8:49 AM

I was playing around with Google Chrome the last few days and of course the first thing I did was login to my personal email account on Google Apps. Everything seemed to work great so I went ahead and visited a few other sites. Somewhere along the way I received an error page and clicked through it not thinking anything of it.

Yesterday on the DevCentral Podcast, Colin was talking about his recent tech tip on "Can iRules fix my cert mismatch errors?" and that reminded me of that error message. So I went back and checked it out and sure enough, it was a mismatch error. The image on the right is the security warning in Chrome and below is the same warning from FireFox 3. So I guess FireFox doesn't want you to visit google.com securely either? In fact, neither does Microsoft!

Want to try it out for yourself? Load up your browser and type in https://google.com. Not "www.google.com" but just "google.com" and make sure you put in "https" instead of "http".

As Google's own Chrome browser states:

You attempted to reach google.com, but instead you actually reached a server identifying itself as www.google.com. This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of google.com. You should not proceed.

Google's own product is telling us that you should not proceed to google.com! What??? What the heck is going on? Is this a security issue? Has someone taken over Google's servers? Is this a fake version of Google that some hacker is trying to get me to visit? In this case, of course not, but it is an issue with the way they have configured their SSL certificates. I guess Google is assuming that their users will always type in "www." before "google.com" and didn't worry about testing the secure version of their site without the "www" prefix. Shame on you Mr. Network Guy in Google's Network group!

So what's going on? When you purchase a SSL certificate, the domain name of your site is included in the certificate along with other information such as your Organization name and other information that identifies the website that your certificate is securing. The information in Google's certificate is to the right. You'll see that the "Common Name (CN)" in this certificate is www.google.com. Google obviously has the same certificate protecting both www.google.com and plain old google.com. When you browse to the later, the browser sees that the Common Name in the certificate doesn't match the domain you are requesting. Security is important so an exact match is performed and if it's not the same, you get this standard security warning.

Looks like Google needs to pony up and spend the couple hundred bucks to buy a second certificate for those of us out here that like to save the wear-and-tear of our "w" keys.

Tsk, tsk, tsk... Rookie mistake Google!

-Joe

Technorati Tags: F5, DevCentral, Google, SSL, Certificates, Security, Chrome, Google Chrome, FireFox, Joe Pruitt

del.icio.us

Feedback

9/5/2008 4:36 PM
		"Google's own product is telling us that you should not proceed to google.com! What??? What the heck is going on? Is this a security issue? Has someone taken over Google's servers? Is this a fake version of Google that some hacker is trying to get me to visit? In this case, of course not" Since the cert doesn't match, how can you tell? "So I guess FireFox doesn't want you to visit google.com securely either? In fact, neither does Microsoft!" They do, which is why they display an error message when they can't be sure it's secure.
abc

9/6/2008 3:15 PM
		Google has your security at heart when they're busy collecting your confidential business data, bank account details, medical information and personal preferences in pornography ;-) Seriously, there appears to be other stuff odd in the Google Chrome code. For instance, Chrome works in Linux in the latest version of Wine, except for SSL. (And note it works in Wine but doesn't work on Windows 2000. o_0 ) Chrome appears to be just a little rapidly hacked together. They claim Mac and Linux versions are coming soon you betcha, but if you look through the code it's pure Windows thinking all the way with no consideration of cross-platform deployment whatsoever. I predict you'll see it working perfectly in Wine (next 2-weekly version or the one after) well before a native Mac or Linux version comes out.
David Gerard

9/6/2008 8:14 PM
		Hmm, the same "rookie" mistake exists at other popular browser manufacturers (microsoft.com, mozilla.org), or Certificate vendors (verisign.com, thawte.com) or banks (chase.com, smithbarney.com, paypal.com) and a few other majors sites like ibm.com, ebay.com, amazon.com. Maybe the web is designed so really care about the "www" and a new keyboard is in order.
Dave Boldt

9/7/2008 10:44 AM
		This appears to be a Wine issue, not a Chrome issue. Running Chrome in wine here I cannot access any SSL site; running Chrome on my wife's Vista machine I have no problems with SSL connections.
John Thompson

9/8/2008 7:25 AM
		abc, you can be fairly sure if the domain name (ie, google.com) you are going to is owned by the company. I double checked with whois.com and google.com is owned by Google. If www.google.com has a valid cert, but google.com does not, then you can be fairly sure that when connecting to the later, you are going to the same company as the first. -Joe
Joe Pruitt

9/8/2008 7:29 AM
		David, I think it's a good bet as well for something to work in Wine before Mac or Linux because it will likely be fewer tweaks to get it there. Have you looked at the code? From what basis are you stating that it's "pure Windows thinking all the way with no consideration of cross-platform deployment". Are they using the Win32 APIs without an abstraction layer? I've read comments by noteworthy unix devs that stated that the code looks very clean and elegant - not something I'd suspect if the code was geared to windows dev. -Joe
Joe Pruitt

9/8/2008 7:31 AM
		John, I think that was David's point in that it SSL didn't work while running under Wine. I've tested it under Vista and XP and seems to work fine in both cases. I haven't tried Win2k though - not sure if that is their target audience since that version is going on 9 years old. -Joe
Joe Pruitt

9/16/2008 4:06 PM
		there are so many advantages and features with Chrome, such as it's speed, for example; the main issue i have with it is it's cookie management
film fan

9/16/2008 4:16 PM
		film fan, cookie management as well as bookmarks. But I'm sure those things will come over time. -Joe
Joe Pruitt

Leave Feedback

Title
Name
Email
Url
Comments
Remember Me? Enter the code shown above:
Please add 2 and 6 and type the answer here:

My Links

DevCentral Home
DevCentral Blogs
DevCentral Forums
My Blog
Contact Me
Syndication
Login

Blog Stats

Posts		303		Comments		379
Stories		0		Trackbacks		265

	Tag Cloud
	.NET ABCs ADC BIG-IP Chrome DevCentral F5 FireFox FirePass Google HTTP IBM iControl iRules Japan Java Joe Pruitt Keep-Alive Marketing Microsoft Mix07 Networking Networking ABCs OneConnect Pool PowerShell Presidents of the United States Product Review Pruitt PUSA QoS Search Seattle Security Social Media ABCs SSL Sumo TCL The Encrypted Packets TMOS Tokyo Twitter URL User Groups VIP VIPRION WAN X-Forwarded-For yobibyte Zone more tags...

Post Categories

		iControl
		WS-I
		BIG-IP
		Misc
		DevCentral
		F5
		iRules
		Conferences
		MIX06
		PDC
		Development and General
		Monitoring/Management
		XML
		Security
		ISV Solutions
		Microsoft Solutions
		Cloud Computing

Article Categories

Archives

		November, 2008 (6)
		October, 2008 (17)
		September, 2008 (22)
		August, 2008 (5)
		July, 2008 (2)
		June, 2008 (3)
		May, 2008 (14)
		April, 2008 (17)
		March, 2008 (5)
		February, 2008 (3)
		January, 2008 (4)
		November, 2007 (4)
		September, 2007 (5)
		August, 2007 (2)
		July, 2007 (3)
		June, 2007 (2)
		May, 2007 (3)
		April, 2007 (3)
		January, 2007 (1)
		November, 2006 (2)
		October, 2006 (4)
		September, 2006 (4)
		August, 2006 (6)
		July, 2006 (2)
		June, 2006 (3)
		May, 2006 (4)
		April, 2006 (4)
		March, 2006 (9)
		February, 2006 (5)
		January, 2006 (7)
		December, 2005 (3)
		November, 2005 (4)
		October, 2005 (6)
		September, 2005 (7)
		August, 2005 (6)
		July, 2005 (18)
		June, 2005 (7)
		May, 2005 (7)
		April, 2005 (5)
		March, 2005 (3)
		February, 2005 (10)
		January, 2005 (4)
		December, 2004 (8)
		November, 2004 (15)
		October, 2004 (8)
		September, 2004 (5)
		August, 2004 (2)
		June, 2004 (1)
		April, 2004 (2)
		March, 2004 (3)
		January, 2004 (2)
		November, 2003 (4)
		October, 2003 (2)

Image Galleries

BlogRoll

		[f5] Colin Walker
		[f5] Dan Matte
		[f5] DCTV
		[f5] Jeff Browning
		[f5] Lori Mac Vittie
		Art Through RSS
		Becky Diaz
		C# FAQ
		Don Box
		Dylan Greene
		Engadget
		Hack-A-Day
		KungfuRobots.com
		MSDN Powertoys
		Nicholas Zurfluh (iRules)
		Robert Scoble
		Rory Blyth
		Scott Hanselman
		Slashdot
		SOAP::Lite
		The Darth Side
		WebServices.org

Current Reading

Buy from SnowCovered!

Internet Security Blog Directory

Copyright 1996 - 2008 F5 Networks, Inc. | Privacy Statement | Terms Of Use