Saturday, January 11, 2014

Godaddy Asks People NOT TO USE ITS HOSTED EMAIL and May Not Even Use It Themselves

Disclaimer, Godaddy made me angry with a billing issue.  This is what caused me to look into the value I get from them.  While my language may be angry and inflammatory, the facts are not disputable.  I have informed them about their messed up SMTP TLS, but have not heard back.
Try to send a secure mail to Godaddy hosted addresses and they will return this message
Sample server certificate, do not use on production systems!
Maybe they are hosting customers’ mail on non-production systems.   For additional irony, they are hosted in the domain, secureserver.net.
farmtomarketcreations.com. 3600 IN      MX      0      smtp.secureserver.net.
farmtomarketcreations.com. 3600 IN      MX      10    mailstore1.secureserver.net.
Even more irony!!!!  Godaddy doesn’t even use their own hosting for email, they use Microsoft!
                godaddy.com.            3600    IN MX      0     godaddy-com.mail.protection.outlook.com.
OK, so this could be that they just use MSs Cloud Anti-Spam and then relay the spam free mail into their systems, but I am dubious.
A quick word about SMTP and TLS.  It is a great way to keep mail more secure because it does not require an end user to know anything or that it is even there.  It just requires mildly qualified techs to configure their mail servers correctly.  TLS, done right, will protect the message in transit from one mail system to the next. 
Back to the hosting I pay for.  While the MX records do not change for my hosting, the corresponding A records change a bit, and multiple tests against the same IP render different results, in terms of TLS support. It appears they use technologies like global traffic management, round robin DNS, and load balancers, and every host was configured by a different incompetent tech.
Their MX records for both names seem to correspond to the same 4 IPs
smtp.secureserver.net. 300     IN      A       72.167.238.201
smtp.secureserver.net. 300     IN      A       72.167.238.29
smtp.secureserver.net. 300     IN      A       68.178.213.37
smtp.secureserver.net. 300     IN      A       216.69.186.201
mailstore1.secureserver.net. 300 IN     A       68.178.213.37
mailstore1.secureserver.net. 300 IN     A       216.69.186.201
mailstore1.secureserver.net. 300 IN     A       72.167.238.201
mailstore1.secureserver.net. 300 IN     A       72.167.238.29
Here’s what CheckTLS shows me over a decent number of tests. Never a score above 68 and never once a valid SSL certificate.  Of 18 tests, 2/3rds fail to even allow TLS.
Godaddy.png

So, let’s look at the hosts that do offer up SSL/TLS certificates.   First, they send their Root certificate twice, adding to handshake time and size.  The root and SSL certs are both 1024 bit.  We already covered the clearly stated “Do not use”.   The SSL certificate is good for 10 years?  At least it is not expired.  :-P Crazy… Finally, the subject common name on the SSL certificate doesn’t match any of their server names.   I guess they can’t afford certificates… Wait, isn’t Godaddy an SSL cert provider?
Certificate 1 of 3 in chain:
Certificate:
  Data:
    Version: 3 (0x2)
    Serial Number: 2 (0x2)
    Signature Algorithm: sha1WithRSAEncryption
    Issuer:
      countryName         = US
      organizationName      = Sample, Inc.
      organizationalUnitName  = IT Team
      commonName        = CA
    Validity
      Not Before: Nov 18 14:58:26 2010 GMT
      Not After : Nov 15 14:58:26 2020 GMT
    Subject:
      countryName         = US
      organizationName      = Sample, Inc.
      organizationalUnitName  = IT Team
      commonName        = Server
    Subject Public Key Info:
      Public Key Algorithm: rsaEncryption
        Public-Key: (1024 bit)
        Modulus:
          00:f3:89:dd:43:f0:ad:84:1a:dd:f1:fd:2c:83:bd:
          ae:01:17:d8:ab:4e:02:f4:7f:85:0a:ec:70:5e:8b:
          19:69:78:6c:61:b8:82:5b:dd:e8:ea:48:23:6b:9f:
          68:80:76:67:34:d3:94:e7:a4:54:38:bb:72:c7:ba:
          da:cc:d6:cb:f8:6b:91:53:f2:be:44:61:9c:a0:64:
          d1:02:e8:df:5b:95:7f:ae:e3:82:d1:e7:2a:96:eb:
          53:9e:17:b3:f5:d9:d1:7a:ca:dd:74:1e:97:3a:44:
          54:5d:02:54:8d:f0:7b:85:39:9f:e9:a3:f3:e7:20:
          14:1d:58:c9:f9:0d:63:fc:d3
        Exponent: 65537 (0x10001)
    X509v3 extensions:
      X509v3 Basic Constraints:
        CA:FALSE
      Netscape Comment:        
        Sample server certificate, do not use on production systems!
      Netscape Cert Type:
        SSL Server
      X509v3 Extended Key Usage:
        TLS Web Server Authentication
      X509v3 Key Usage:
        Digital Signature, Key Encipherment
  Signature Algorithm: sha1WithRSAEncryption
    38:d1:85:a8:51:8c:1b:04:a5:95:39:19:7c:6e:38:f6:e8:ef:
    27:23:40:17:11:ba:bc:7a:0c:be:39:ee:f4:2b:8d:5c:5d:dd:
    c4:ea:54:e1:d9:fd:7c:96:b2:a0:9b:67:cd:f9:06:ed:7e:02:
    8a:96:fd:f6:4d:bf:64:22:17:a5:9b:e3:33:15:7e:fe:a7:30:
    53:21:55:ba:20:c5:a6:19:50:f0:d2:44:e9:a9:1c:5a:37:20:
    cb:26:15:da:73:ba:67:29:f3:1d:f2:69:97:31:26:92:04:f9:
    6a:c3:ec:ff:6a:65:60:ef:78:54:44:7f:81:22:24:aa:e8:cd:
    fa:6b
-----BEGIN CERTIFICATE-----
MIICkTCCAfqgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBDMQswCQYDVQQGEwJVUzEV
MBMGA1UEChMMU2FtcGxlLCBJbmMuMRAwDgYDVQQLEwdJVCBUZWFtMQswCQYDVQQD
EwJDQTAeFw0xMDExMTgxNDU4MjZaFw0yMDExMTUxNDU4MjZaMEcxCzAJBgNVBAYT
AlVTMRUwEwYDVQQKEwxTYW1wbGUsIEluYy4xEDAOBgNVBAsTB0lUIFRlYW0xDzAN
BgNVBAMTBlNlcnZlcjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA84ndQ/Ct
hBrd8f0sg72uARfYq04C9H+FCuxwXosZaXhsYbiCW93o6kgja59ogHZnNNOU56RU
OLtyx7razNbL+GuRU/K+RGGcoGTRAujfW5V/ruOC0ecqlutTnhez9dnResrddB6X
OkRUXQJUjfB7hTmf6aPz5yAUHVjJ+Q1j/NMCAwEAAaOBkDCBjTAJBgNVHRMEAjAA
MEsGCWCGSAGG+EIBDQQ+FjxTYW1wbGUgc2VydmVyIGNlcnRpZmljYXRlLCBkbyBu
b3QgdXNlIG9uIHByb2R1Y3Rpb24gc3lzdGVtcyEwEQYJYIZIAYb4QgEBBAQDAgZA
MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIFoDANBgkqhkiG9w0BAQUF
AAOBgQA40YWoUYwbBKWVORl8bjj26O8nI0AXEbq8egy+Oe70K41cXd3E6lTh2f18
lrKgm2fN+QbtfgKKlv32Tb9kIhelm+MzFX7+pzBTIVW6IMWmGVDw0kTpqRxaNyDL
JhXac7pnKfMd8mmXMSaSBPlqw+z/amVg73hURH+BIiSq6M36aw==
-----END CERTIFICATE-----                                                                                                                                                                                                                                      
[003.724]                             
Certificate 2 of 3 in chain:
Certificate:
  Data:
    Version: 3 (0x2)
    Serial Number:
      92:69:45:90:f7:aa:ec:38
    Signature Algorithm: sha1WithRSAEncryption
    Issuer:
      countryName         = US
      organizationName      = Sample, Inc.
      organizationalUnitName  = IT Team
      commonName        = CA
    Validity
      Not Before: Nov 18 14:58:26 2010 GMT
      Not After : Nov 15 14:58:26 2020 GMT
    Subject:
      countryName         = US
      organizationName      = Sample, Inc.
      organizationalUnitName  = IT Team
      commonName        = CA
    Subject Public Key Info:
      Public Key Algorithm: rsaEncryption
        Public-Key: (1024 bit)
        Modulus:
          00:b8:ed:8e:6f:80:6c:10:56:21:16:b9:53:a9:00:
          95:b9:60:18:48:76:fd:a2:e4:b9:4c:21:03:d9:17:
          0f:f7:09:ae:31:f6:1b:ee:3f:d9:d6:fe:53:70:84:
          5b:df:63:7b:f4:a2:9d:34:4f:0e:55:33:e6:ee:a7:
          4c:b9:43:0f:70:51:71:bc:ee:50:6c:fd:4e:41:f2:
          4d:cf:9d:9c:94:a4:40:85:e9:27:74:08:78:fc:f6:
          2e:e4:a9:d5:3e:8b:27:a9:ed:52:06:45:a5:76:a4:
          2a:8d:2a:10:e9:31:6d:5a:6a:75:34:10:4c:85:9a:
          5d:4d:43:3a:24:59:95:29:7f
        Exponent: 65537 (0x10001)
    X509v3 extensions:
      X509v3 Basic Constraints:
        CA:TRUE
  Signature Algorithm: sha1WithRSAEncryption
    a0:04:32:10:92:46:dd:bd:e4:c2:71:0a:b2:d5:5c:9c:1c:8c:
    57:fa:3a:17:ed:aa:d9:28:09:f3:79:3b:18:d0:4d:e0:f8:6c:
    96:a4:b0:52:f9:8a:cd:bc:cf:1c:79:2a:6e:97:4a:89:4e:bb:
    f9:9b:0c:4c:e0:fe:a1:0f:53:7d:6b:04:3b:9b:05:1b:b7:37:
    13:ae:9d:02:58:14:7f:cc:d5:be:26:55:4e:02:15:bb:ec:9f:
    7d:b6:5e:fa:ea:c8:88:b1:b6:57:62:69:ba:c2:b1:d2:2f:a7:
    99:24:90:eb:52:a5:58:20:22:83:33:2c:37:64:84:0e:e9:46:
    90:53
-----BEGIN CERTIFICATE-----
MIICFDCCAX2gAwIBAgIJAJJpRZD3quw4MA0GCSqGSIb3DQEBBQUAMEMxCzAJBgNV
BAYTAlVTMRUwEwYDVQQKEwxTYW1wbGUsIEluYy4xEDAOBgNVBAsTB0lUIFRlYW0x
CzAJBgNVBAMTAkNBMB4XDTEwMTExODE0NTgyNloXDTIwMTExNTE0NTgyNlowQzEL
MAkGA1UEBhMCVVMxFTATBgNVBAoTDFNhbXBsZSwgSW5jLjEQMA4GA1UECxMHSVQg
VGVhbTELMAkGA1UEAxMCQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALjt
jm+AbBBWIRa5U6kAlblgGEh2/aLkuUwhA9kXD/cJrjH2G+4/2db+U3CEW99je/Si
nTRPDlUz5u6nTLlDD3BRcbzuUGz9TkHyTc+dnJSkQIXpJ3QIePz2LuSp1T6LJ6nt
UgZFpXakKo0qEOkxbVpqdTQQTIWaXU1DOiRZlSl/AgMBAAGjEDAOMAwGA1UdEwQF
MAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAoAQyEJJG3b3kwnEKstVcnByMV/o6F+2q
2SgJ83k7GNBN4PhslqSwUvmKzbzPHHkqbpdKiU67+ZsMTOD+oQ9TfWsEO5sFG7c3
E66dAlgUf8zVviZVTgIVu+yffbZe+urIiLG2V2JpusKx0i+nmSSQ61KlWCAigzMs
N2SEDulGkFM=
-----END CERTIFICATE-----                                                                                                                                                                                                                                                                                                                                                                                          
[003.768]                             
Certificate 3 of 3 in chain:
Certificate:
  Data:
    Version: 3 (0x2)
    Serial Number:
      92:69:45:90:f7:aa:ec:38
    Signature Algorithm: sha1WithRSAEncryption
    Issuer:
      countryName         = US
      organizationName      = Sample, Inc.
      organizationalUnitName  = IT Team
      commonName        = CA
    Validity
      Not Before: Nov 18 14:58:26 2010 GMT
      Not After : Nov 15 14:58:26 2020 GMT
    Subject:
      countryName         = US
      organizationName      = Sample, Inc.
      organizationalUnitName  = IT Team
      commonName        = CA
    Subject Public Key Info:
      Public Key Algorithm: rsaEncryption
        Public-Key: (1024 bit)
        Modulus:
          00:b8:ed:8e:6f:80:6c:10:56:21:16:b9:53:a9:00:
          95:b9:60:18:48:76:fd:a2:e4:b9:4c:21:03:d9:17:
          0f:f7:09:ae:31:f6:1b:ee:3f:d9:d6:fe:53:70:84:
          5b:df:63:7b:f4:a2:9d:34:4f:0e:55:33:e6:ee:a7:
          4c:b9:43:0f:70:51:71:bc:ee:50:6c:fd:4e:41:f2:
          4d:cf:9d:9c:94:a4:40:85:e9:27:74:08:78:fc:f6:
          2e:e4:a9:d5:3e:8b:27:a9:ed:52:06:45:a5:76:a4:
          2a:8d:2a:10:e9:31:6d:5a:6a:75:34:10:4c:85:9a:
          5d:4d:43:3a:24:59:95:29:7f
        Exponent: 65537 (0x10001)
    X509v3 extensions:
      X509v3 Basic Constraints:
        CA:TRUE
  Signature Algorithm: sha1WithRSAEncryption
    a0:04:32:10:92:46:dd:bd:e4:c2:71:0a:b2:d5:5c:9c:1c:8c:
    57:fa:3a:17:ed:aa:d9:28:09:f3:79:3b:18:d0:4d:e0:f8:6c:
    96:a4:b0:52:f9:8a:cd:bc:cf:1c:79:2a:6e:97:4a:89:4e:bb:
    f9:9b:0c:4c:e0:fe:a1:0f:53:7d:6b:04:3b:9b:05:1b:b7:37:
    13:ae:9d:02:58:14:7f:cc:d5:be:26:55:4e:02:15:bb:ec:9f:
    7d:b6:5e:fa:ea:c8:88:b1:b6:57:62:69:ba:c2:b1:d2:2f:a7:
    99:24:90:eb:52:a5:58:20:22:83:33:2c:37:64:84:0e:e9:46:
    90:53
-----BEGIN CERTIFICATE-----
MIICFDCCAX2gAwIBAgIJAJJpRZD3quw4MA0GCSqGSIb3DQEBBQUAMEMxCzAJBgNV
BAYTAlVTMRUwEwYDVQQKEwxTYW1wbGUsIEluYy4xEDAOBgNVBAsTB0lUIFRlYW0x
CzAJBgNVBAMTAkNBMB4XDTEwMTExODE0NTgyNloXDTIwMTExNTE0NTgyNlowQzEL
MAkGA1UEBhMCVVMxFTATBgNVBAoTDFNhbXBsZSwgSW5jLjEQMA4GA1UECxMHSVQg
VGVhbTELMAkGA1UEAxMCQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALjt
jm+AbBBWIRa5U6kAlblgGEh2/aLkuUwhA9kXD/cJrjH2G+4/2db+U3CEW99je/Si
nTRPDlUz5u6nTLlDD3BRcbzuUGz9TkHyTc+dnJSkQIXpJ3QIePz2LuSp1T6LJ6nt
UgZFpXakKo0qEOkxbVpqdTQQTIWaXU1DOiRZlSl/AgMBAAGjEDAOMAwGA1UdEwQF
MAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAoAQyEJJG3b3kwnEKstVcnByMV/o6F+2q
2SgJ83k7GNBN4PhslqSwUvmKzbzPHHkqbpdKiU67+ZsMTOD+oQ9TfWsEO5sFG7c3
E66dAlgUf8zVviZVTgIVu+yffbZe+urIiLG2V2JpusKx0i+nmSSQ61KlWCAigzMs
N2SEDulGkFM=
-----END CERTIFICATE-----  

-->
Inputting falsified referrals to this site violates the terms of service of this site and is considered unauthorized access (hacking).