[capecodcarl]

Go to https://www.apple.com and not https://apple.com to get the correct site with the proper certificate. apple.com != www.apple.com

[lstamour]

Indeed, they have different hosts. akamai appears to host all of www.apple.com while the non-www server is hosted directly at 17.142.160.59 (primary), 17.178.96.59 (forwards for a lot of Apple domain names) or 17.172.224.47 (also forwards for a lot of domain names...). Oddly enough, only 17.178.96.59 has a proper certificate, but it's signed with Apple IST CA 2 - G1 from GeoTrust rather than VeriSign used everywhere else. They appear to have a misconfiguration for the other two servers configured in DNS to serve apple.com. Apple IST probably stands for Information Services and Technology group at Apple.

[quonn]

I know, but I always just type apple.com. It is still a problem.

[teamhappy]

Not anymore. They added a redirect.

OS X talks to plenty of apple.com subdomains and there really is no reason not to use self-signed certificates for this kind of thing.

[alternize]

the redirect happens _after_ the certificate warning. to get to the redirect, you have to accept the self signed certificate first.

so it might still scare people away, and rightfully so: normal folks cannot distinguish a self signed certificate from a malicious used one f.e. used in phishing attempts.

[quonn]

> normal folks cannot distinguish a self signed certificate from a malicious used one

What do you mean with "normal folks"? Nobody can possibly distinguish this, since an attacker would also just use a self-signed certificate.

[teamhappy]

You're right, of course. Did they change the certificate?

https://www.sslshopper.com/ssl-checker.html#hostname=apple.c...

https://www.sslshopper.com/ssl-checker.html#hostname=www.app...