[cryptography] Gmail and SSL
iang at iang.org
Sun Dec 16 02:50:01 EST 2012
On 16/12/12 01:01 AM, James A. Donald wrote:
> On 2012-12-16 6:23 AM, Andy Steingruebl wrote:
>> given some of the more recent attacks against Google (and Facebook's)
>> customers they believe that active MiTM is actually a real threat, and
>> would rather not pretend to protect you from it when they aren't, by
>> using a self-signed certificate that they haven't verified in any way,
>> even by you presenting it.
> Recent MITM attacks have been by entities that are likely to be able to
> coerce a CA.
And, given that CA-signed client certs of a low grade are typically
validated with an email confirmation, something that google itself
retains core capabilities in, over & above the CAs, and indeed, the CA's
validation will rely on google's gmail, the logic remains byzantine.
Factory-certs are generally less secure than a self-signed,
self-presented certificate. Indeed, musing aloud, it seems provable.
More information about the cryptography