donderdag 22 december 2011

Twitter.com serving wrong certificate

Here's a blog post about twitter serving the wrong certificate on one of its domain. This could be a classic example of a government sniffing username's and passwords with a compromised private key of the domain twitter.com. Although the whole set-up just suggests someone at twitter made a mistake.

The problem is with the domain https://fr.twitter.com. For some reason it popped-up in my time-line yesterday and I was automatically forwarded to it several times. I have no idea why, but apparently I'm not the only one, see the twitter search results: https://twitter.com/#!/search/fr.twitter.com
The domain is providing you with the certificate for the domain twitter.com and not, as it should in this case fr.twitter.com. See below the certificate fr.twitter.com is serving, note the issuer.

I have to mention this wouldn't have been notified by me if the certificate was a wildcard certificate for *.twitter.com because then the certificate would be valid, and I would have probably ignored it.
The domainname fr.twitter.com is resolving to 199.59.149.230, 199.59.149.198 and 199.59.148.82, while twitter.com is resolving to 199.59.148.10, 199.59.148.82 and 199.59.149.230. Both are within the TWITTER-NETWORK. But as we all know, governments can redirect any traffic if they want to.

Another funny thing is this: the ip adres 199.59.149.198 is also hosting this website: itgovportal.net. Visit that website and take a look. Is it just @sfkassab redirecting the traffic of his website?

Let's wait for twitter to respond.

UPDATE:
No response from twitter yet. But I've had a closer look.
There are 4 twitter DNS servers that serve the domains twitter.com and fr.twitter.com.
2 DNS servers (ns1.p34.dynect.net & ns4.p34.dynect.net) serve these records:
Name: twitter.com
Addresses: 199.59.149.230, 199.59.149.198, 199.59.148.82
Aliases: fr.twitter.com

And the other 2 (ns2.p34.dynect.net & ns3.p34.dynect.net) serve:
Name: twitter.com
Addresses: 199.59.148.10, 199.59.148.82, 199.59.149.230
Aliases: fr.twitter.com
That explains the IP difference I saw at first, and had rung my bells.

But then again, twitter shouldn't use that CNAME, because the SSL certificate is only valid for twitter.com. They should have used *.twitter.com instead. Or better delete (or auto forward) the usage of fr.twitter.com.

Another thing: I found out de.twitter.com is also a CNAME. So you would expect it to be country codes, but nl. uk. pl. es.twitter.com are no CNAME's.
de.twitter.com doesn't show up in the search results: https://twitter.com/#!/search/de.twitter.com
Like fr.twitter.com does show up by many users. Strange situation going on here.

The last thing I have to mention is the twitter DNS servers are operated by DynDNS.org. And DynDNS doesn't have such a good reputation regarding privacy, see this blog about that issue.
This basically means we can now link Twitter to DynDNS, FBI to DynDNS, Duqu ( kasperskychk.dyndns.org ) to DynDNS

3 opmerkingen: