[159211] in North American Network Operators' Group
Re: Gmail and SSL
daemon@ATHENA.MIT.EDU (John R. Levine)
Mon Dec 31 09:08:09 2012
Date: 31 Dec 2012 09:07:11 -0500
From: "John R. Levine" <johnl@iecc.com>
To: "Jimmy Hess" <mysidia@gmail.com>
In-Reply-To: <CAAAwwbWXUNQKo24mHH+qyC=0uZYAzV3WqrpERg3dmCjCy0fEyg@mail.gmail.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
> However, the procedures required to exploit these weaknesses are
> slightly more complicated than simply producing a self-signed
> certificate on the fly for man in the middle use -- they require
> planning, a waiting period, because CAs do not typically issue
> immediately.
Hmmn, I guess I was right, you haven't bought any certs lately. Startcom
typically issues on the spot, Comodo and Geotrust mail them to you within
15 minutes. I agree that 15 minutes is not exactly the same as
immediately, but so what?
> And the use of credit card numbers; either legitimate ones, which
> provide a trail to trace the attacker, or stolen ones, ...
or a prepaid card bought for cash at a convenience or grocery store.
Really, this isn't hard to understand. Current SSL signers do no more
than tie the identity of the cert to the identity of a domain name.
Anyone who's been following the endless crisis at ICANN about bogus WHOIS
knows that domain names do not reliably identify anyone.
> The only question is... Does it provide an assurance that is at all
> stronger than a self-signed certificate that can be made on the fly?
>
> And it does... not a strong one, but a slightly stronger one.
I supose to the extent that 0.2% is greater than 0.1%, perhaps. But not
enough for any sensible person to care.
Also keep in mind that this particular argument is about the certs used to
submit mail to Gmail, which requires a separate SMTP AUTH within the SSL
session before you can send any mail. This isn't belt and suspenders,
this is belt and a 1/16" inch piece of duct tape.
R's,
John
