vrijdag 16 maart 2012

Twitter and its strange certificate structure

Back in this blog post of December 2011 I noticed some of the twitter servers were serving wrong certificates. I notified twitter in several emails, never received a response though. (bad bad twitter!)
However, today I noticed they did take some action regarding this problem.
Strangely they now they have 2 different certificates in their live environment. One signed by VeriSign and one by RapidSSL/GeoTrust. Below you see both certificates compared:

One is valid for www.twitter.com and twitter.com. The other for twitter.com and [wildcard]*.twitter.com.

Here are their pastebin links:
Currently active: twitter.com / www.twitter.com - VeriSign valid from 7/7/2011
Currently backup: *.twitter.com / www.twitter.com - RapidSSL/GeoTrust valid from 7/17/2011

Just a few questions arise. Why the hack do u use at least 2 Certificate Authorities to sign your certificates? Why do we have 2 different certificates in a live environment?
Having multiple certificates for just one environment makes the probabilities of one getting compromised bigger. Secondly the new certificate presented shows it's already valid from the 17th of July 2011, how many more certificates do you have in stock?

Here are some facts about twitter and its certificate handling.
Twitter has requested certificates for these domains:
api.twitter.com -> VeriSign Class 3 Secure Server CA - G2 -> VeriSign
urls-real.api.twitter.com -> VeriSign Class 3 Secure Server CA - G3 -> VeriSign
pay.twitter.com -> VeriSign Class 3 Extended Validation SSL CA -> VeriSign
partnerdata.twttr.com -> DigiCert HA CA-3 -> DigiCert
dev.twitter.com -> VeriSign Class 3 Secure Server CA - G2 -> VeriSign
mobile.twitter.com -> VeriSign Class 3 Secure Server CA - G2 -> VeriSign
sms.twitter.com -> VeriSign Class 3 Secure Server CA - G2 -> VeriSign
support.twitter.com -> VeriSign Class 3 Secure Server CA - G3 -> VeriSign
upload.twitter.com -> VeriSign Class 3 Secure Server CA - G3 -> VeriSign
sms.twitter.com -> VeriSign Class 3 Secure Server CA - G2 -> VeriSign
stream.twitter.com -> VeriSign Class 3 Secure Server CA - G3 -> VeriSign
xstream.twitter.com -> VeriSign Class 3 Secure Server CA - G3 -> VeriSign
sitestream.twitter.com -> VeriSign Class 3 Secure Server CA - G3 -> VeriSign
userstream.twitter.com -> VeriSign Class 3 Secure Server CA - G2 -> VeriSign
t.co -> VeriSign Class 3 Secure Server CA - G2 -> VeriSign
twitter.com -> VeriSign Class 3 Extended Validation SSL CA -> VeriSign

But almost all of these can off course be replaced by this one:
*.twitter.com -> RapidSSL CA -> GeoTrust Global CA

Based on the above facts we can conclude twitter uses 3 Certificate Authorities to sign its certificates:
- VeriSign
- RapidSSL/GeoTrust
- DigiCert

Twitter is serving the *.twitter.com certificate already on 19 servers. And the old www.twitter.com on only 6 servers.
Whats going on dudes?!

1 opmerking: