GoogleSSLError I was playing around with Google Chrome the last few days and of course the first thing I did was login to my personal email account on Google Apps.  Everything seemed to work great so I went ahead and visited a few other sites.  Somewhere along the way I received an error page and clicked through it not thinking anything of it.

Yesterday on the DevCentral Podcast, Colin was talking about his recent tech tip on "Can iRules fix my cert mismatch errors?" and that reminded me of that error message.  So I went back and checked it out and sure enough, it was a mismatch error.  The image on the right is the security warning in Chrome and below is the same warning from FireFox 3.  So I guess FireFox doesn't want you to visit google.com securely either?  In fact, neither does Microsoft!

GoogleSSLErrorFFWant to try it out for yourself?  Load up your browser and type in https://google.com.  Not "www.google.com" but just "google.com" and make sure you put in "https" instead of "http".

As Google's own Chrome browser states:

quote_thumb You attempted to reach google.com, but instead you actually reached a server identifying itself as www.google.com.  This may be caused by a misconfiguration on the server or by something more serious.  An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of google.comYou should not proceed.

Google's own product is telling us that you should not proceed to google.com!  What??? What the heck is going on?  Is this a security issue?  Has someone taken over Google's servers?  Is this a fake version of Google that some hacker is trying to get me to visit?  In this case, of course not, but it is an issue with the way they have configured their SSL certificates.   I guess Google is assuming that their users will always type in "www." before "google.com" and didn't worry about testing the secure version of their site without the "www" prefix.  Shame on you Mr. Network Guy in Google's Network group!

GoogleCertificateSo what's going on?  When you purchase a SSL certificate, the domain name of your site is included in the certificate along with other information such as your Organization name and other information that identifies the website that your certificate is securing.  The information in Google's certificate is to the right.  You'll see that the "Common Name (CN)" in this certificate is www.google.com.  Google obviously has the same certificate protecting both www.google.com and plain old google.com.  When you browse to the later, the browser sees that the Common Name in the certificate doesn't match the domain you are requesting.  Security is important so an exact match is performed and if it's not the same, you get this standard security warning.

Looks like Google needs to pony up and spend the couple hundred bucks to buy a second certificate for those of us out here that like to save the wear-and-tear of our "w" keys. 

Tsk, tsk, tsk...  Rookie mistake Google!

-Joe