donderdag 22 december 2011 serving wrong certificate

Here's a blog post about twitter serving the wrong certificate on one of its domain. This could be a classic example of a government sniffing username's and passwords with a compromised private key of the domain Although the whole set-up just suggests someone at twitter made a mistake.

The problem is with the domain For some reason it popped-up in my time-line yesterday and I was automatically forwarded to it several times. I have no idea why, but apparently I'm not the only one, see the twitter search results:!/search/
The domain is providing you with the certificate for the domain and not, as it should in this case See below the certificate is serving, note the issuer.

I have to mention this wouldn't have been notified by me if the certificate was a wildcard certificate for * because then the certificate would be valid, and I would have probably ignored it.
The domainname is resolving to, and, while is resolving to, and Both are within the TWITTER-NETWORK. But as we all know, governments can redirect any traffic if they want to.

Another funny thing is this: the ip adres is also hosting this website: Visit that website and take a look. Is it just @sfkassab redirecting the traffic of his website?

Let's wait for twitter to respond.

No response from twitter yet. But I've had a closer look.
There are 4 twitter DNS servers that serve the domains and
2 DNS servers ( & serve these records:

And the other 2 ( & serve:
That explains the IP difference I saw at first, and had rung my bells.

But then again, twitter shouldn't use that CNAME, because the SSL certificate is only valid for They should have used * instead. Or better delete (or auto forward) the usage of

Another thing: I found out is also a CNAME. So you would expect it to be country codes, but nl. uk. pl. are no CNAME's. doesn't show up in the search results:!/search/
Like does show up by many users. Strange situation going on here.

The last thing I have to mention is the twitter DNS servers are operated by And DynDNS doesn't have such a good reputation regarding privacy, see this blog about that issue.
This basically means we can now link Twitter to DynDNS, FBI to DynDNS, Duqu ( ) to DynDNS

3 opmerkingen: