nanog mailing list archives
Re: Gmail and SSL
From: Christopher Morrow <morrowc.lists () gmail com>
Date: Wed, 2 Jan 2013 13:39:40 -0500
On Wed, Jan 2, 2013 at 1:08 PM, William Herrin <bill () herrin us> wrote:
As for Google (and anyone else) it escapes me why you would require a signed certificate for any connection that you're willing to also permit completely unencrypted. Encryption stops nearly every purely
raising the bar for observers is potentially a goal, no? making it simple for people to get 'more secure' email isn't a bad thing. (admittedly, requiring a signed cert now is more painful, though startssl.com makes it less so).
passive packet capture attack, with or without a signed certificate. Even without a signed cert an encrypted data flow is much more secure than an unencrypted one. It's not an all-or-nothing deal. Encrypted with a signed or otherwise verified cert is more secure than merely encrypted which is more secure than unencrypted on a switched path which is more secure than unencrypted on a hub. None of these things is wholly insecure and none are 100% secure.
boiling down the above you mean: goodness-scale (goodness to the left) signed > self-signed > unsigned I don't think there's much disagreement about that... the sticky wicket though is 'how much better is 'signed' vs 'self-signed' ? and I think the feeling is that: 'if we can verify that the cert is proper/signed, we have more assurance that the end user meant for this cert to be presented. A self-signed cert could be any intermediary between me/you... we have no way to verify who is presenting the cert.' -chris (note the use of 'we' here is the 'royal we', I have no idea what the real reason is, but the above makes some sense to me, at least.)
Current thread:
- Re: Gmail and SSL, (continued)
- Re: Gmail and SSL Scott Howard (Jan 01)
- Re: Gmail and SSL Keith Medcalf (Jan 01)
- Re: Gmail and SSL Valdis . Kletnieks (Jan 02)
- Re: Gmail and SSL Steven Bellovin (Jan 02)
- Re: Gmail and SSL Randy Bush (Jan 02)
- Re: Gmail and SSL Steven Bellovin (Jan 02)
- Re: Gmail and SSL Seth David Schoen (Jan 02)
- Re: Gmail and SSL Steven Bellovin (Jan 02)
- Re: Gmail and SSL Jimmy Hess (Jan 02)
- Re: Gmail and SSL Steven Bellovin (Jan 02)
- Re: Gmail and SSL Christopher Morrow (Jan 02)
- Re: Gmail and SSL William Herrin (Jan 02)
- Re: Gmail and SSL George Herbert (Jan 02)
- Re: Gmail and SSL William Herrin (Jan 02)
- Re: Gmail and SSL John R. Levine (Jan 02)
- Re: Gmail and SSL William Herrin (Jan 02)
- Re: Gmail and SSL Christopher Morrow (Jan 02)
- Re: Gmail and SSL Christopher Morrow (Jan 02)
- Re: Gmail and SSL William Herrin (Jan 02)
- Re: Gmail and SSL Christopher Morrow (Jan 02)