[159274] in North American Network Operators' Group
Re: Gmail and SSL
daemon@ATHENA.MIT.EDU (Christopher Morrow)
Wed Jan 2 22:04:45 2013
In-Reply-To: <CAP-guGUZ75wf2EQtWOzeuSijkmnb63ghYNmJFzFkF-obpHSnRw@mail.gmail.com>
Date: Wed, 2 Jan 2013 22:04:26 -0500
From: Christopher Morrow <christopher.morrow@gmail.com>
To: William Herrin <bill@herrin.us>
Cc: John Levine <johnl@iecc.com>, nanog list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Wed, Jan 2, 2013 at 8:51 PM, William Herrin <bill@herrin.us> wrote:
> secure cryptosystems." Has the EFF's SSL Observatory project detected
> even one case of a fake certificate under Etilisat's trust chain since
> then?
it's possible that the observatory won't see these in the wild, if the
observatory is on the wrong side of the connection. According to the
code EFF uses:
<https://git.eff.org/?p=observatory.git;a=blob;f=README;h=235117a992ff83b7c04c66ba928bc1907cf76944;hb=HEAD>
it looks like they simply portscanned 0/0 for tcp/443 listeners, then
grabbed certs from the respondents. In the cases we're talking about
in this thread EFF's observatory may never be in the middle of the
conversation.
In the cases of Etisalat (or one use they may have) the scanners may
not be behind etisalat's piece of gear which uses the CA cert in
question. "not observed in the wild" isn't really a good judge for
this particular problem I think :(
As to why the Etisalat cert isn't yet removed, I wouldn't know... it
seems a bit fishy though.
-chris
