[159266] in North American Network Operators' Group
Re: Gmail and SSL
daemon@ATHENA.MIT.EDU (Christopher Morrow)
Wed Jan 2 20:40:04 2013
In-Reply-To: <CAL9jLabg8230zKY3j9hmyyjNEGugzD+-ar4XHg8Q-1W48waD4w@mail.gmail.com>
Date: Wed, 2 Jan 2013 20:39:52 -0500
From: Christopher Morrow <christopher.morrow@gmail.com>
To: William Herrin <bill@herrin.us>
Cc: John Levine <johnl@iecc.com>, nanog list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Wed, Jan 2, 2013 at 8:03 PM, Christopher Morrow
<christopher.morrow@gmail.com> wrote:
>
> On Jan 2, 2013 7:36 PM, "William Herrin" <bill@herrin.us> wrote:
>>
>
>> >
>> > Me, no, although I have read credible reports that otherwise reputable
>> > SSL
>> > signers have issued MITM certs to governments for their filtering
>> > firewalls.
>>
>
> That's not the case join is referring to.
>
>> The governments in question are watching for exfiltration and they
>
> No, not really. Some are busy tracking "dissidents" among their populations.
>
>> largely use a less risky approach: they issue their own root key and,
>> in most cases, install it in the government employees' browser before
>> handing them the machine.
>>
>
> Not just for employees.
>
>> A "reputable" SSL signer would have to get outed just once issuing a
>> government a resigning cert and they'd be kicked out of all the
>> browsers. They'd be awfully easy to catch.
>>
>
> Oh! You mean like cyber trust and etilisat? Right... That's working just
> perfectly...
should have included this reference link:
<https://www.eff.org/deeplinks/2010/08/open-letter-verizon>
