The Guardian also open-sourced a test SSL cert
github.com Issuer: C=GB, ST=London, L=London, O=GU, OU=tech, CN=*.int.gnl/emailAddress=martyn.inglis@guardian.co.uk
Subject: C=GB, ST=London, L=London, O=GU, OU=tech, CN=*.int.gnl/emailAddress=martyn.inglis@guardian.co.uk
This is just a self-signed cert.
Before everyone gets hysterical, please vote ^^^ that comment up. It's a self-signed cert, it is not used in production:
Yep. Though it opens up a (probably hypothetical) potential attack if this cert is widely trusted on, say, Guardian employees' development machines.
They updated it with this comment
> this is a TEST key for local development - NOT an important key
HTTPS does not seem to be properly configured on their servers anyway, I get an "You attempted to reach www.theguardian.com, but instead you actually reached a server identifying itself as *.a.ssl.fastly.net." error when trying to connect over HTTPS.
That's interesting because they do have content protected by a sign in system. Are they just not using HTTPS for that? I kind of expected more from the Guardian.
It's a CDN. CloudFlare operates the same way.
Wouldn't this allow someone to do a full man in the middle attack with a compromised server/dns server?
If it were the actual cert they're using, yes.
Oh I see now that it's just the self signed cert. Awesome :)
So now anyone snooping on visitors to Guardian's site can decrypt the communication. Don't see why anyone would waste time on this given that there is no 'money' involved.
Yes, just checked now.
it's not the real one it's a test SSL cert