Disclaimer,
Godaddy made me angry with a billing issue. This is what caused me to
look into the value I get from them. While my language may be angry and
inflammatory, the facts are not disputable. I have informed them about
their messed up SMTP TLS, but have not heard back.
Try to send
a secure mail to Godaddy hosted addresses and they will return this message
Sample server certificate, do not use on
production systems!
Maybe they are hosting customers’ mail on non-production
systems. For additional irony, they are hosted in the domain,
secureserver.net.
farmtomarketcreations.com.
3600 IN MX 0
smtp.secureserver.net.
farmtomarketcreations.com.
3600 IN MX 10
mailstore1.secureserver.net.
Even more irony!!!! Godaddy doesn’t even use their own
hosting for email, they use Microsoft!
godaddy.com.
3600 IN MX 0
godaddy-com.mail.protection.outlook.com.
OK, so this could be that they just use MSs
Cloud Anti-Spam and then relay the spam free mail into their systems, but I
am dubious.
A quick word about SMTP and TLS. It is a great way to keep mail more secure because
it does not require an end user to know anything or that it is even there. It just requires mildly qualified techs to
configure their mail servers correctly. TLS, done right, will protect the message in
transit from one mail system to the next.
Back to the hosting I pay for. While the MX records do
not change for my hosting, the corresponding A records
change a bit, and multiple tests against the same IP render different results,
in terms of TLS support. It appears they use technologies like global traffic
management, round robin DNS, and load balancers, and every host was configured
by a different incompetent tech.
Their MX records for both names seem to correspond to the
same 4 IPs
smtp.secureserver.net.
300 IN
A 72.167.238.201
smtp.secureserver.net.
300 IN
A 72.167.238.29
smtp.secureserver.net.
300 IN
A 68.178.213.37
smtp.secureserver.net.
300 IN
A 216.69.186.201
mailstore1.secureserver.net.
300 IN A
68.178.213.37
mailstore1.secureserver.net.
300 IN A
216.69.186.201
mailstore1.secureserver.net.
300 IN A
72.167.238.201
mailstore1.secureserver.net.
300 IN A
72.167.238.29
Here’s what CheckTLS shows me over a decent number of tests. Never a score above 68 and never once a valid SSL certificate.
Of 18 tests, 2/3rds fail to even allow TLS.
So, let’s look at the hosts that do offer up SSL/TLS
certificates. First, they send their Root certificate twice, adding
to handshake time and size. The root and SSL certs are both 1024
bit. We already covered the clearly stated “Do not use”. The
SSL certificate is good for 10 years? At least it is not expired.
:-P Crazy… Finally, the subject common name on the SSL certificate doesn’t
match any of their server names. I guess they can’t afford
certificates… Wait, isn’t Godaddy an SSL cert provider?
Certificate 1 of 3 in chain:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm:
sha1WithRSAEncryption
Issuer:
countryName
= US
organizationName =
Sample, Inc.
organizationalUnitName = IT Team
commonName
= CA
Validity
Not Before: Nov 18
14:58:26 2010 GMT
Not After
: Nov 15 14:58:26 2020 GMT
Subject:
countryName
= US
organizationName = Sample,
Inc.
organizationalUnitName = IT Team
commonName
= Server
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024
bit)
Modulus:
00:f3:89:dd:43:f0:ad:84:1a:dd:f1:fd:2c:83:bd:
ae:01:17:d8:ab:4e:02:f4:7f:85:0a:ec:70:5e:8b:
19:69:78:6c:61:b8:82:5b:dd:e8:ea:48:23:6b:9f:
68:80:76:67:34:d3:94:e7:a4:54:38:bb:72:c7:ba:
da:cc:d6:cb:f8:6b:91:53:f2:be:44:61:9c:a0:64:
d1:02:e8:df:5b:95:7f:ae:e3:82:d1:e7:2a:96:eb:
53:9e:17:b3:f5:d9:d1:7a:ca:dd:74:1e:97:3a:44:
54:5d:02:54:8d:f0:7b:85:39:9f:e9:a3:f3:e7:20:
14:1d:58:c9:f9:0d:63:fc:d3
Exponent: 65537
(0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
Sample server
certificate, do not use on production systems!
Netscape Cert Type:
SSL Server
X509v3 Extended Key Usage:
TLS Web Server
Authentication
X509v3 Key Usage:
Digital
Signature, Key Encipherment
Signature Algorithm: sha1WithRSAEncryption
38:d1:85:a8:51:8c:1b:04:a5:95:39:19:7c:6e:38:f6:e8:ef:
27:23:40:17:11:ba:bc:7a:0c:be:39:ee:f4:2b:8d:5c:5d:dd:
c4:ea:54:e1:d9:fd:7c:96:b2:a0:9b:67:cd:f9:06:ed:7e:02:
8a:96:fd:f6:4d:bf:64:22:17:a5:9b:e3:33:15:7e:fe:a7:30:
53:21:55:ba:20:c5:a6:19:50:f0:d2:44:e9:a9:1c:5a:37:20:
cb:26:15:da:73:ba:67:29:f3:1d:f2:69:97:31:26:92:04:f9:
6a:c3:ec:ff:6a:65:60:ef:78:54:44:7f:81:22:24:aa:e8:cd:
fa:6b
-----BEGIN CERTIFICATE-----
MIICkTCCAfqgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBDMQswCQYDVQQGEwJVUzEV
MBMGA1UEChMMU2FtcGxlLCBJbmMuMRAwDgYDVQQLEwdJVCBUZWFtMQswCQYDVQQD
EwJDQTAeFw0xMDExMTgxNDU4MjZaFw0yMDExMTUxNDU4MjZaMEcxCzAJBgNVBAYT
AlVTMRUwEwYDVQQKEwxTYW1wbGUsIEluYy4xEDAOBgNVBAsTB0lUIFRlYW0xDzAN
BgNVBAMTBlNlcnZlcjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA84ndQ/Ct
hBrd8f0sg72uARfYq04C9H+FCuxwXosZaXhsYbiCW93o6kgja59ogHZnNNOU56RU
OLtyx7razNbL+GuRU/K+RGGcoGTRAujfW5V/ruOC0ecqlutTnhez9dnResrddB6X
OkRUXQJUjfB7hTmf6aPz5yAUHVjJ+Q1j/NMCAwEAAaOBkDCBjTAJBgNVHRMEAjAA
MEsGCWCGSAGG+EIBDQQ+FjxTYW1wbGUgc2VydmVyIGNlcnRpZmljYXRlLCBkbyBu
b3QgdXNlIG9uIHByb2R1Y3Rpb24gc3lzdGVtcyEwEQYJYIZIAYb4QgEBBAQDAgZA
MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIFoDANBgkqhkiG9w0BAQUF
AAOBgQA40YWoUYwbBKWVORl8bjj26O8nI0AXEbq8egy+Oe70K41cXd3E6lTh2f18
lrKgm2fN+QbtfgKKlv32Tb9kIhelm+MzFX7+pzBTIVW6IMWmGVDw0kTpqRxaNyDL
JhXac7pnKfMd8mmXMSaSBPlqw+z/amVg73hURH+BIiSq6M36aw==
-----END CERTIFICATE-----
[003.724]
Certificate 2 of 3 in chain:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
92:69:45:90:f7:aa:ec:38
Signature Algorithm:
sha1WithRSAEncryption
Issuer:
countryName
= US
organizationName = Sample,
Inc.
organizationalUnitName = IT Team
commonName
= CA
Validity
Not Before: Nov 18 14:58:26
2010 GMT
Not After :
Nov 15 14:58:26 2020 GMT
Subject:
countryName
= US
organizationName = Sample,
Inc.
organizationalUnitName = IT Team
commonName
= CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024
bit)
Modulus:
00:b8:ed:8e:6f:80:6c:10:56:21:16:b9:53:a9:00:
95:b9:60:18:48:76:fd:a2:e4:b9:4c:21:03:d9:17:
0f:f7:09:ae:31:f6:1b:ee:3f:d9:d6:fe:53:70:84:
5b:df:63:7b:f4:a2:9d:34:4f:0e:55:33:e6:ee:a7:
4c:b9:43:0f:70:51:71:bc:ee:50:6c:fd:4e:41:f2:
4d:cf:9d:9c:94:a4:40:85:e9:27:74:08:78:fc:f6:
2e:e4:a9:d5:3e:8b:27:a9:ed:52:06:45:a5:76:a4:
2a:8d:2a:10:e9:31:6d:5a:6a:75:34:10:4c:85:9a:
5d:4d:43:3a:24:59:95:29:7f
Exponent: 65537
(0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
a0:04:32:10:92:46:dd:bd:e4:c2:71:0a:b2:d5:5c:9c:1c:8c:
57:fa:3a:17:ed:aa:d9:28:09:f3:79:3b:18:d0:4d:e0:f8:6c:
96:a4:b0:52:f9:8a:cd:bc:cf:1c:79:2a:6e:97:4a:89:4e:bb:
f9:9b:0c:4c:e0:fe:a1:0f:53:7d:6b:04:3b:9b:05:1b:b7:37:
13:ae:9d:02:58:14:7f:cc:d5:be:26:55:4e:02:15:bb:ec:9f:
7d:b6:5e:fa:ea:c8:88:b1:b6:57:62:69:ba:c2:b1:d2:2f:a7:
99:24:90:eb:52:a5:58:20:22:83:33:2c:37:64:84:0e:e9:46:
90:53
-----BEGIN CERTIFICATE-----
MIICFDCCAX2gAwIBAgIJAJJpRZD3quw4MA0GCSqGSIb3DQEBBQUAMEMxCzAJBgNV
BAYTAlVTMRUwEwYDVQQKEwxTYW1wbGUsIEluYy4xEDAOBgNVBAsTB0lUIFRlYW0x
CzAJBgNVBAMTAkNBMB4XDTEwMTExODE0NTgyNloXDTIwMTExNTE0NTgyNlowQzEL
MAkGA1UEBhMCVVMxFTATBgNVBAoTDFNhbXBsZSwgSW5jLjEQMA4GA1UECxMHSVQg
VGVhbTELMAkGA1UEAxMCQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALjt
jm+AbBBWIRa5U6kAlblgGEh2/aLkuUwhA9kXD/cJrjH2G+4/2db+U3CEW99je/Si
nTRPDlUz5u6nTLlDD3BRcbzuUGz9TkHyTc+dnJSkQIXpJ3QIePz2LuSp1T6LJ6nt
UgZFpXakKo0qEOkxbVpqdTQQTIWaXU1DOiRZlSl/AgMBAAGjEDAOMAwGA1UdEwQF
MAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAoAQyEJJG3b3kwnEKstVcnByMV/o6F+2q
2SgJ83k7GNBN4PhslqSwUvmKzbzPHHkqbpdKiU67+ZsMTOD+oQ9TfWsEO5sFG7c3
E66dAlgUf8zVviZVTgIVu+yffbZe+urIiLG2V2JpusKx0i+nmSSQ61KlWCAigzMs
N2SEDulGkFM=
-----END CERTIFICATE-----
[003.768]
Certificate 3 of 3 in chain:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
92:69:45:90:f7:aa:ec:38
Signature Algorithm:
sha1WithRSAEncryption
Issuer:
countryName
= US
organizationName =
Sample, Inc.
organizationalUnitName = IT Team
commonName
= CA
Validity
Not Before: Nov 18 14:58:26
2010 GMT
Not After :
Nov 15 14:58:26 2020 GMT
Subject:
countryName
= US
organizationName =
Sample, Inc.
organizationalUnitName = IT Team
commonName
= CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024
bit)
Modulus:
00:b8:ed:8e:6f:80:6c:10:56:21:16:b9:53:a9:00:
95:b9:60:18:48:76:fd:a2:e4:b9:4c:21:03:d9:17:
0f:f7:09:ae:31:f6:1b:ee:3f:d9:d6:fe:53:70:84:
5b:df:63:7b:f4:a2:9d:34:4f:0e:55:33:e6:ee:a7:
4c:b9:43:0f:70:51:71:bc:ee:50:6c:fd:4e:41:f2:
4d:cf:9d:9c:94:a4:40:85:e9:27:74:08:78:fc:f6:
2e:e4:a9:d5:3e:8b:27:a9:ed:52:06:45:a5:76:a4:
2a:8d:2a:10:e9:31:6d:5a:6a:75:34:10:4c:85:9a:
5d:4d:43:3a:24:59:95:29:7f
Exponent: 65537
(0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
a0:04:32:10:92:46:dd:bd:e4:c2:71:0a:b2:d5:5c:9c:1c:8c:
57:fa:3a:17:ed:aa:d9:28:09:f3:79:3b:18:d0:4d:e0:f8:6c:
96:a4:b0:52:f9:8a:cd:bc:cf:1c:79:2a:6e:97:4a:89:4e:bb:
f9:9b:0c:4c:e0:fe:a1:0f:53:7d:6b:04:3b:9b:05:1b:b7:37:
13:ae:9d:02:58:14:7f:cc:d5:be:26:55:4e:02:15:bb:ec:9f:
7d:b6:5e:fa:ea:c8:88:b1:b6:57:62:69:ba:c2:b1:d2:2f:a7:
99:24:90:eb:52:a5:58:20:22:83:33:2c:37:64:84:0e:e9:46:
90:53
-----BEGIN CERTIFICATE-----
MIICFDCCAX2gAwIBAgIJAJJpRZD3quw4MA0GCSqGSIb3DQEBBQUAMEMxCzAJBgNV
BAYTAlVTMRUwEwYDVQQKEwxTYW1wbGUsIEluYy4xEDAOBgNVBAsTB0lUIFRlYW0x
CzAJBgNVBAMTAkNBMB4XDTEwMTExODE0NTgyNloXDTIwMTExNTE0NTgyNlowQzEL
MAkGA1UEBhMCVVMxFTATBgNVBAoTDFNhbXBsZSwgSW5jLjEQMA4GA1UECxMHSVQg
VGVhbTELMAkGA1UEAxMCQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALjt
jm+AbBBWIRa5U6kAlblgGEh2/aLkuUwhA9kXD/cJrjH2G+4/2db+U3CEW99je/Si
nTRPDlUz5u6nTLlDD3BRcbzuUGz9TkHyTc+dnJSkQIXpJ3QIePz2LuSp1T6LJ6nt
UgZFpXakKo0qEOkxbVpqdTQQTIWaXU1DOiRZlSl/AgMBAAGjEDAOMAwGA1UdEwQF
MAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAoAQyEJJG3b3kwnEKstVcnByMV/o6F+2q
2SgJ83k7GNBN4PhslqSwUvmKzbzPHHkqbpdKiU67+ZsMTOD+oQ9TfWsEO5sFG7c3
E66dAlgUf8zVviZVTgIVu+yffbZe+urIiLG2V2JpusKx0i+nmSSQ61KlWCAigzMs
N2SEDulGkFM=
-----END CERTIFICATE-----
-->