[cryptography] Gmail and SSL

ianG iang at iang.org
Sun Dec 16 02:50:01 EST 2012


On 16/12/12 01:01 AM, James A. Donald wrote:
> On 2012-12-16 6:23 AM, Andy Steingruebl wrote:
>> given some of the more recent attacks against Google (and Facebook's)
>> customers they believe that active MiTM is actually a real threat, and
>> would rather not pretend to protect you from it when they aren't, by
>> using a self-signed certificate that they haven't verified in any way,
>> even by you presenting it.
>
> Recent MITM attacks have been by entities that are likely to be able to
> coerce a CA.

And, given that CA-signed client certs of a low grade are typically 
validated with an email confirmation, something that google itself 
retains core capabilities in, over & above the CAs, and indeed, the CA's 
validation will rely on google's gmail, the logic remains byzantine.

Factory-certs are generally less secure than a self-signed, 
self-presented certificate.  Indeed, musing aloud, it seems provable.

iang



More information about the cryptography mailing list