11

When I'm opening https://india.gov.in, it's opening all right. But for https://www.india.gov.in, the browser is throwing a certificate error. Why is that happening?

Hacktiker
  • 924
  • 7
  • 14
Arka
  • 571
  • 2
  • 7
  • 12

2 Answers2

32

www is a common prefix for websites. However, at a technical level it is just another subdomain, and there's nothing special about it. If a webserver accepts both or even more DNS names, it has to be configured that way. The server decides which configuration to use based on the DNS name in the HTTP request.

The certificate served for https://india.gov.in covers india.gov.in. It does not cover www.india.gov.in, nor does it cover any other subdomain (foo.india.gov.in) or other domain (example.com). This is the most basic form of TLS certificate, and a pretty common one.

The DNS records for india.gov.in and www.india.gov.in don't necessarily have to go to the same place; they could resolve different IP addresses and dfferenet DNS record types. This is commonly done for hosting various applications on a single base domain, e.g. having mail.india.gov.in go to a webmail server.

A common way for companies to deal with this sort of issue is to buy a wildcard certificate (*.india.gov.in) to cover all their subdomains. OWASP recommends against this because you have to secure every endpoint that needs the certificate (in our example above, an attacker breaching the webmail could extract the certificate and use it to man-in-the-middle a connection to the normal website, or vice versa). A better option is to use a SAN certificate that includes just india.gov.in and www.india.gov.in, then set up redirects for any page requested on one domain to the other.

Xiong Chiamiov
  • 9,432
  • 2
  • 34
  • 81
  • 4
    However, connections to www.india.gov on destination ports 80 and 443 ought to be redirected to india.gov (or vice versa) such that no one ever actually has to type the "www." part of the name. IMO, a site that actually requires "www." be specified indicates an incompetent webmaster. – Monty Harder Feb 03 '17 at 21:17
  • 2
    Great answer, but the comment about wildcard certificates is dangerous.. A lot of places are moving away from it. See https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Rule_-_Do_Not_Use_Wildcard_Certificates – Tim Brigham Feb 03 '17 at 21:43
  • 1
    @TimBrigham I think the real danger described there is making "including developer's machines, the secretary's machine in the lobby and the sign-in kiosk" accessible from the internet and placing your private key on such difficult to secure machines. Seriously, what the heck? Why is that even a consideration? Just like any sensitive piece of information, it should only be accessible to certain people and used on certain, secure machines. – jpmc26 Feb 03 '17 at 23:12
  • @TimBrigham Thanks, I added some notes on wildcard certs. – Xiong Chiamiov Feb 03 '17 at 23:49
  • 1
    @AndréBorie Google, Microsoft, and Apple are stuck in the 90s? Good to know. Alternatively, people who don't know better are used to it, and businesses would rather cater to their expectations than make them feel weird trying to force new conventions on them. – jpmc26 Feb 04 '17 at 01:09
  • @MontyHarder That would trip the same certificate errors (at least, if you manually type both 'https' and 'www'). The browser has no way of knowing that the server giving you the redirect is the real server, or the same as the one it's redirecting to, unless the first server supplies a valid certificate for the domain. – SomeoneSomewhereSupportsMonica Feb 04 '17 at 07:02
1

No, you cannot always remove WWW from a host name:

$ curl -I www.google.com/settings
HTTP/1.1 302 Found

$ curl -I google.com/settings
HTTP/1.1 404 Not Found
Zombo
  • 1
  • 1
  • 1
  • 8