current community

your communities

more stack exchange communities

company blog
Stack Exchange Inbox Reputation and Badges
tour help
Information Security Stack Exchange is a question and answer site for information security professionals. Join them; it only takes a minute:

Sign up
Here's how it works:
  1. Anybody can ask a question
  2. Anybody can answer
  3. The best answers are voted up and rise to the top
up vote 11 down vote favorite
1

When I'm opening https://india.gov.in, it's opening all right. But for https://www.india.gov.in, the browser is throwing a certificate error. Why is that happening?

share|improve this question
3  
www is just a convention, and it's really just a subdomain, just like india is to gov in your example URL. Therefore it really depends on the DNS and/or server's configuration. – rubik 12 hours ago
8  
I believe that this question is not actually about security. – d33tah 11 hours ago
5  
Not a security question, belongs on Super User. – Michael Hampton 8 hours ago
1  
8 upvotes? Not sure how or why.. – FreeSoftwareServers 5 hours ago
up vote 32 down vote

www is a common prefix for websites. However, at a technical level it is just another subdomain, and there's nothing special about it. If a webserver accepts both or even more DNS names, it has to be configured that way. The server decides which configuration to use based on the DNS name in the HTTP request.

The certificate served for https://india.gov.in covers india.gov.in. It does not cover www.india.gov.in, nor does it cover any other subdomain (foo.india.gov.in) or other domain (example.com). This is the most basic form of TLS certificate, and a pretty common one.

The DNS records for india.gov.in and www.india.gov.in don't necessarily have to go to the same place; they could resolve different IP addresses and dfferenet DNS record types. This is commonly done for hosting various applications on a single base domain, e.g. having mail.india.gov.in go to a webmail server.

A common way for companies to deal with this sort of issue is to buy a wildcard certificate (*.india.gov.in) to cover all their subdomains. OWASP recommends against this because you have to secure every endpoint that needs the certificate (in our example above, an attacker breaching the webmail could extract the certificate and use it to man-in-the-middle a connection to the normal website, or vice versa). A better option is to use a SAN certificate that includes just india.gov.in and www.india.gov.in, then set up redirects for any page requested on one domain to the other.

share|improve this answer
4  
However, connections to www.india.gov on destination ports 80 and 443 ought to be redirected to india.gov (or vice versa) such that no one ever actually has to type the "www." part of the name. IMO, a site that actually requires "www." be specified indicates an incompetent webmaster. – Monty Harder 13 hours ago
2  
Great answer, but the comment about wildcard certificates is dangerous.. A lot of places are moving away from it. See owasp.org/index.php/… – Tim Brigham 13 hours ago
1  
@TimBrigham I think the real danger described there is making "including developer's machines, the secretary's machine in the lobby and the sign-in kiosk" accessible from the internet and placing your private key on such difficult to secure machines. Seriously, what the heck? Why is that even a consideration? Just like any sensitive piece of information, it should only be accessible to certain people and used on certain, secure machines. – jpmc26 11 hours ago
    
@TimBrigham Thanks, I added some notes on wildcard certs. – Xiong Chiamiov 11 hours ago
1  
@AndréBorie Google, Microsoft, and Apple are stuck in the 90s? Good to know. Alternatively, people who don't know better are used to it, and businesses would rather cater to their expectations than make them feel weird trying to force new conventions on them. – jpmc26 9 hours ago
up vote 1 down vote

No, you cannot always remove WWW from a host name:

$ curl -I www.google.com/settings
HTTP/1.1 302 Found

$ curl -I google.com/settings
HTTP/1.1 404 Not Found
share|improve this answer
1  
This was a poorly phrased question, but plus one for answering the title question. His title and body don't really match at all lol – FreeSoftwareServers 5 hours ago

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.