[159260] in North American Network Operators' Group
Re: Gmail and SSL
daemon@ATHENA.MIT.EDU (William Herrin)
Wed Jan 2 19:36:18 2013
In-Reply-To: <alpine.BSF.2.00.1301021736500.22457@joyce.lan>
From: William Herrin <bill@herrin.us>
Date: Wed, 2 Jan 2013 19:35:49 -0500
To: "John R. Levine" <johnl@iecc.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Wed, Jan 2, 2013 at 5:38 PM, John R. Levine <johnl@iecc.com> wrote:
>> Are you, at this moment, able to acquire a falsely signed certificate
>> for www.herrin.us that my web browser will accept?
>
> Me, no, although I have read credible reports that otherwise reputable SSL
> signers have issued MITM certs to governments for their filtering firewalls.
The governments in question are watching for exfiltration and they
largely use a less risky approach: they issue their own root key and,
in most cases, install it in the government employees' browser before
handing them the machine.
A "reputable" SSL signer would have to get outed just once issuing a
government a resigning cert and they'd be kicked out of all the
browsers. They'd be awfully easy to catch.
Regards,
Bill Herrin
--
William D. Herrin ................ herrin@dirtside.com bill@herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004
