nanog mailing list archives
Re: Gmail and SSL
From: Christopher Morrow <morrowc.lists () gmail com>
Date: Sun, 30 Dec 2012 15:34:19 -0500
On Sun, Dec 30, 2012 at 3:30 PM, Keith Medcalf <kmedcalf () dessus com> wrote:
Your assertion that using "bought" certificates provides any security benefit whatsoever assumes facts not in evidence. Given recent failures in this space I would posit that the requirement to use certificates purchased from entities "under the thumb" of government control, clearly motivated only by profit, and with highly questionable moral and ethical standards represents a huge increase in risk of passive attack and confidentiality failure where such rosk did not previously exist.
backing up some, I think the problem trying to be solved by requiring 'legitimate' certificates is stopping the obvious problems of mitm attacks, ala mallory-proxy. in the longer term, if the client can know that the server was supposed to present a cert with fingerprint XFOOBYFOOB and it can see that fingerprint for the cert presented in the session we all win, right?
Current thread:
- Re: Gmail and SSL, (continued)
- Re: Gmail and SSL Christopher Morrow (Dec 14)
- Re: Gmail and SSL Peter Kristolaitis (Dec 14)
- Re: Gmail and SSL Maxim Khitrov (Dec 14)
- RE: Gmail and SSL Matthew Black (Dec 14)
- Re: Gmail and SSL Peter Kristolaitis (Dec 14)
- Re: Gmail and SSL Christopher Morrow (Dec 14)
- Re: Gmail and SSL Jasper Wallace (Dec 20)
- Message not available
- Re: Gmail and SSL Peter Kristolaitis (Dec 29)
- Re: Gmail and SSL Christopher Morrow (Dec 30)
- Re: Gmail and SSL Jimmy Hess (Dec 30)
- Re: Gmail and SSL John Levine (Dec 30)
- Re: Gmail and SSL Jimmy Hess (Dec 30)
- Re: Gmail and SSL Rich Kulawiec (Dec 31)
- Re: Gmail and SSL John R. Levine (Dec 31)