On Wed, Jan 10, 2007 at 06:31:21PM -0500, Steven M. Bellovin wrote:
I just stumbled on a web site that strongly believes in crypto --
*everything* on the site is protected by https. If you go there via
http, you receive a Redirect. The site? www.cia.gov:
$ telnet www.cia.gov 80
Trying 198.81.129.100...
Connected to www.odci.gov.
Escape character is '^]'.
GET / HTTP/1.0
HTTP/1.0 301 Found
Location: https://www.cia.gov/
Their public email gateways don't believe in crypto nearly as much as
cs.columbia.edu does.
$ for d in cia.gov cs.columbia.edu; do
echo; dig +sho -t mx $d | sort +0n |
tee /dev/tty |
perl -lne 'm{(\S+)\.$} print $1' |
while read h; do echo; smtp-finger -t [$h] $d 21 |
perl -lne 'print unless (/^-{5}BEGIN/ .. /^-{5}END/);'; done; done
5 mail2.ucia.gov.
10 mail1.ucia.gov.
smtp-finger: Connected to mail2.ucia.gov[198.81.129.148]:25
smtp-finger: 220 mail2b.ucia.gov ESMTP
smtp-finger: EHLO amnesiac.ms.com
smtp-finger: 250-mail2b.ucia.gov
smtp-finger: 250-8BITMIME
smtp-finger: 250 SIZE 104857600
smtp-finger: Connected to mail1.ucia.gov[198.81.129.68]:25
smtp-finger: 220 mail1a.ucia.gov ESMTP
smtp-finger: EHLO amnesiac.ms.com
smtp-finger: 250-mail1a.ucia.gov
smtp-finger: 250-8BITMIME
smtp-finger: 250 SIZE 104857600
100 cs.columbia.edu.
200 ober.cs.columbia.edu.
200 opus.cs.columbia.edu.
smtp-finger: Connected to cs.columbia.edu[128.59.16.20]:25
smtp-finger: 220 cs.columbia.edu ESMTP Sendmail (8.12.10/22/jtt/sed/ib42)
is thrilled to serve you at Sat, 13 Jan 2007 13:27:13 -0500 (EST).
smtp-finger: EHLO amnesiac.ms.com
smtp-finger: 250-cs.columbia.edu Hello amnesiac.ms.com [192.0.2.1],
pleased to meet you
smtp-finger: 250-ENHANCEDSTATUSCODES
smtp-finger: 250-PIPELINING
smtp-finger: 250-EXPN
smtp-finger: 250-VERB
smtp-finger: 250-8BITMIME
smtp-finger: 250-SIZE 2500
smtp-finger: 250-DSN
smtp-finger: 250-ETRN
smtp-finger: 250-STARTTLS
smtp-finger: 250-DELIVERBY
smtp-finger: 250 HELP
smtp-finger: STARTTLS
smtp-finger: 220 2.0.0 Ready to start TLS
smtp-finger: certificate verification failed for
cs.columbia.edu[128.59.16.20]:25: untrusted issuer /C=US/O=Equifax Secure
Inc./CN=Equifax Secure Global eBusiness CA-1
smtp-finger: TLSv1 connection to
cs.columbia.edu(cs.columbia.edu[128.59.16.20]:25) with cipher
DHE-RSA-AES256-SHA (256/256 bits)
smtp-finger: EHLO amnesiac.ms.com
smtp-finger: 250-cs.columbia.edu Hello amnesiac.ms.com [192.0.2.1],
pleased to meet you
smtp-finger: 250-ENHANCEDSTATUSCODES
smtp-finger: 250-PIPELINING
smtp-finger: 250-EXPN
smtp-finger: 250-VERB
smtp-finger: 250-8BITMIME
smtp-finger: 250-SIZE 2500
smtp-finger: 250-DSN
smtp-finger: 250-ETRN
smtp-finger: 250-AUTH PLAIN LOGIN
smtp-finger: 250-DELIVERBY
smtp-finger: 250 HELP
smtp-finger: Unverified: subject_CN=cs.columbia.edu, issuer=Equifax Secure
Global eBusiness CA-1
smtp-finger: Server session id:
8EA8B66A9DCCA0903BF75B7FC71316CE201330A0B1B09114FB6BE15E25AA9827
smtp-finger: Common Name: cs.columbia.edu: matched
---
Certificate chain
0
s:/C=US/O=cs.columbia.edu/OU=https://services.choicepoint.net/get.jsp?GT1305/OU=See
www.geotrust.com/quickssl/cps (c)04/OU=Domain Control Validated - This is a
GeoTrust QuickSSL Premium(R) Certificate/CN=cs.columbia.edu
i:/C=US/O=Equifax Secure Inc./CN=Equifax Secure Global eBusiness CA-1
smtp-finger: Connected to ober.cs.columbia.edu[128.59.18.100]:25
smtp-finger: 220 ober.cs.columbia.edu ESMTP Sendmail
(8.12.10/22/jtt/sed/ib42) is thrilled to serve you at Sat, 13 Jan 2007 13:27:14
-0500 (EST).
smtp-finger: EHLO amnesiac.ms.com
smtp-finger: 250-ober.cs.columbia.edu Hello amnesiac.ms.com [192.0.2.1],
pleased to meet you
smtp-finger: 250-ENHANCEDSTATUSCODES
smtp-finger: 250-PIPELINING
smtp-finger: 250-EXPN
smtp-finger: 250-VERB
smtp-finger: 250-8BITMIME
smtp-finger: 250-SIZE 2500
smtp-finger: 250-DSN
smtp-finger: 250-ETRN
smtp-finger: 250-STARTTLS
smtp-finger: 250-DELIVERBY
smtp-finger: 250 HELP
smtp-finger: STARTTLS
smtp-finger: 220 2.0.0 Ready to start TLS
smtp-finger: certificate verification failed for
ober.cs.columbia.edu[128.59.18.100]:25: untrusted issuer /C=US/O=Equifax Secure
Inc./CN=Equifax Secure Global eBusiness CA-1
smtp-finger: TLSv1 connection to
ober.cs.columbia.edu(ober.cs.columbia.edu[128.59.18.100]:25) with cipher
DHE-RSA-AES256-SHA (256/256 bits)
smtp-finger: EHLO amnesiac.ms.com
smtp-finger: 250-ober.cs.columbia.edu Hello amnesiac.ms.com [192.0.2.1],
pleased to meet you
smtp-finger: 250-ENHANCEDSTATUSCODES
smtp-finger: 250-PIPELINING
smtp-finger: 250-EXPN
smtp-finger: 250-VERB
smtp-finger: