[cryptography] Gmail and SSL

ianG iang at iang.org
Sat Dec 15 14:23:33 EST 2012


The presence of a self-signed signature cannot possibly be less secure 
than the non-presence of any signature. If they are rejecting 
self-signed sigs, then they must also logically reject unsigned provision.

This is a common error made by many security providers in the PKI space. 
  Their security logic mistake is to assume that the self-signed 
signature is to be compared with something signed by an 'authority', 
rather than an unsigned competitor.

It is one of those enduring flaws that indicate that security isn't the 
objective with such systems.

iang



On 14/12/12 18:51 PM, Eugen Leitl wrote:
> ----- Forwarded message from Randy <nanog at afxr.net> -----
>
> From: Randy <nanog at afxr.net>
> Date: Fri, 14 Dec 2012 09:47:03 -0600
> To: NANOG list <nanog at nanog.org>
> Subject: Gmail and SSL
> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
> 	rv:17.0) Gecko/17.0 Thunderbird/17.0
>
> I'm hoping to reach out to google's gmail engineers with this message,
> Today I noticed that for the past 3 days, email messages from my personal
> website's pop3 were not being received into my gmail inbox. Naturally, I
> figured that my pop3 service was down, but after some checking, every thing
> was working OK. I then checked gmail settings, and noticed some error.
> It explained that google is no longer accepting self signed ssl
> certificates. It claims that this change will "offer[s] a higher level of
> security to better protect your information".
> I don't believe that this change offers better security. In fact it is now
> unsecured - I am unable to use ssl with gmail, I have had to select the
> plain-text pop3 option.
>
> I don't have hundreds of dollars to get my ssl certificates signed, and to
> top it off, gmail never notified me of an error with fetching my mail. How
> many of email accounts trying to grab mail are failing now? I bet
> thousands, as a self signed certificate is a valid way of encrypting the
> traffic.
>
> Please google, remove this requirement.
>
> Source:
> http://support.google.com/mail/bin/answer.py?hl=en&answer=21291&ctx=gmail#strictSSL
>
> ----- End forwarded message -----
>




More information about the cryptography mailing list