https://gmail.com/
does not use a bad certificate. Here is its current certificate, as intercepted by Fiddler2:
== Server Certificate ==========
[Subject]
CN=gmail.com, O=Google Inc, L=Mountain View, S=California, C=US
[Issuer]
CN=Google Internet Authority G2, O=Google Inc, C=US
[Serial Number]
4F4A246099981C2C
[Not Before]
16/07/2014 10:04:37 PM
[Not After]
14/10/2014 11:00:00 AM
[Thumbprint]
8F1065D237732F71CAD350A3FD0089AEEAAB675E
Note the CN=gmail.com
.
The actual response type from the HTTP request is a 301 Moved Permanently
to https://mail.google.com/
. This has two effects:
The browser will redirect to the destination, making a new request, with a new tunnel (because different domain) and different certificate. This is why you see a mail.google.com
certificate - this is after the redirect. If you look at the address bar, the actual site you are on is http://mail.google.com/
, not http://gmail.com/
. It's a bit hard to catch the pre-redirect certificate in a browser, which is why I used Fiddler2.
The browser will cache this redirect and perform it automatically in the future, never making another request to https://gmail.com/
(that's the point of Moved Permanently
). This isn't really significant to this question, but it does make it a bit harder to discover the redirect - you need to clear your caches or open a private browsing window first.
1https://gmail.com doesn't even work for me. I am going to guess whatever the correct site is, its internally directed to the mail.google.com which is an extended validation certificate. Chrome handles google websites silently. In other words Chrome knows if the website is Google or not. I assume your using the current version on all browsers in question? – Ramhound – 2014-07-28T15:08:43.990
5@Ramhound It sends a
301 Moved Permanently
tomail.google.com
. If you've visited it before, your browser will cache the redirection and won't even make thegmail.com
request. It probably serves a different certificate. – Bob – 2014-07-28T15:12:48.390@Bob - Yes; I sort of knew Google did that; – Ramhound – 2014-07-28T16:50:15.803