

Apple.com currently has a self-signed certificate (fixed now) - quonn
https://apple.com/
apple.com currently does not have a valid certificate. Note that I&#x27;m accessing the page from Europe, so this is not the issue with China MITM-ing iCloud.
======
lstamour
Apparently you've a 50/50 chance of hitting a self-signed certificate?
[https://www.ssllabs.com/ssltest/analyze.html?d=apple.com&hid...](https://www.ssllabs.com/ssltest/analyze.html?d=apple.com&hideResults=on)
(Click on each IP address to view the results)

Correction: Qualys' tool merges tests of apple.com and www.apple.com. In fact,
you've a 66% chance of getting a self-signed certificate, as the IP addresses
starting with 17 are the ones serving the non-www apple.com redirect. This is
clearly indicated by the "Domain" column of the table, which I apparently
completely missed until just now.

~~~
lstamour
Their actual shopping website is less ambiguous:
[https://www.ssllabs.com/ssltest/analyze.html?d=store.apple.c...](https://www.ssllabs.com/ssltest/analyze.html?d=store.apple.com&hideResults=on)

------
jrochkind1
Hmm, I don't seem to get that. While it seems unlikely, could you be getting
MitM'ed?

Ah wait, are you only getting it on "[https://apple.com"](https://apple.com")?
In my Chrome browser, that immediately redirects to www.apple.com -- but if
the first one was self-signed, wouldn't it be untrusted by the browser, and
wouldn't the browser refuse to redirect and give me a warning instead?

Confused as to if I'm seeing the same thing as you or not.

~~~
roghummal
[https://apple.com](https://apple.com) does redirect to
[https://www.apple.com](https://www.apple.com), but it does so with an Apple-
issued certificate. Are you running Chrome on OS X?

If you use curl/wget/similar on a machine that doesn’t have Apple’s
certificates installed the 301 fails (bad cert).

"curl: (60) Peer certificate cannot be authenticated with known CA
certificates”

Oddly, when I first tried to load [https://apple.com](https://apple.com)
inside Vienna (OS X RSS reader) it refused to load (bad cert), now it loads
fine. Hmmm.

~~~
dekz
I am using Chrome on OSX and do not get it:

[https://gist.github.com/dekz/7c911fa633e37fb130d4](https://gist.github.com/dekz/7c911fa633e37fb130d4)

------
capecodcarl
Go to [https://www.apple.com](https://www.apple.com) and not
[https://apple.com](https://apple.com) to get the correct site with the proper
certificate. apple.com != www.apple.com

~~~
quonn
I know, but I always just type apple.com. It is still a problem.

~~~
teamhappy
Not anymore. They added a redirect.

OS X talks to plenty of apple.com subdomains and there really is no reason not
to use self-signed certificates for this kind of thing.

~~~
alternize
the redirect happens _after_ the certificate warning. to get to the redirect,
you have to accept the self signed certificate first.

so it might still scare people away, and rightfully so: normal folks cannot
distinguish a self signed certificate from a malicious used one f.e. used in
phishing attempts.

~~~
quonn
> normal folks cannot distinguish a self signed certificate from a malicious
> used one

What do you mean with "normal folks"? Nobody can possibly distinguish this,
since an attacker would also just use a self-signed certificate.

------
M4v3R
Strange. I get that too. Certificate is signed by "Apple IST CA 2 - G1", with
256-bit RSA. Of course accessing their website normally doesn't go through SSL
so most people won't see this.

------
IgorPartola
This is so frustrating. So many sites are still accessible over HTTP. Perhaps
some of the security tools out there (a la ssllabs.com) should start giving
you a warning, etc. for serving anything but a 301 over HTTP.

Also, really, Apple can't figure out how to get a wildcard cert and properly
install it? I had an idea at one point to put together an bot to scan and
publicly shame Alexa top whatever sites if they don't do HTTPS properly and
consistently. Perhaps I should go back to that idea.

~~~
Kiro
Why do all sites need to be HTTPS?

~~~
sliverstorm
The typical argument is if only sensitive traffic is encrypted, you know that
something is worth attacking _because it is encrypted_.

Ergo, encrypt everything, and the sensitive stuff can hide in a sea of
meaningless traffic.

~~~
dwild
There not much I really need to have encrypted, my bank website, my emails, my
files on cloud services and my ssh sessions.

Anyone that can do a MITM over HTTPS can really easily find the hostname of
all theses IP. in fact anyone could find the hostname of theses IP....

~~~
IgorPartola
And every password and login form you use to protect your passwords. And every
government form you fill out (they often require personal identifying info).
And every link that links to those forms, etc. There are a lot more ways to
attack a connection than just hijacking a cleartext bank password.

~~~
dwild
That's why I double and triple check the URL on important service before I
fill out everything.

------
Mandatum
Well, that's unexpected. You have to visit
[https://apple.com](https://apple.com) to hit the self-signed URL.

------
ahknight
Turns out this breaks Xcode documentation and simulator updates, too. Nice
job, Apple.

------
digitalpacman
'oh no'

