[159277] in North American Network Operators' Group
Re: Gmail and SSL
daemon@ATHENA.MIT.EDU (Jeff Kell)
Wed Jan 2 22:41:31 2013
Date: Wed, 2 Jan 2013 22:41:09 -0500
From: Jeff Kell <jeff-kell@utc.edu>
To: <Valdis.Kletnieks@vt.edu>
In-Reply-To: <82858.1357183894@turing-police.cc.vt.edu>
Cc: John Levine <johnl@iecc.com>, nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 1/2/2013 10:31 PM, Valdis.Kletnieks@vt.edu wrote:
> On Wed, 02 Jan 2013 12:10:55 -0800, George Herbert said:
>
>> Google is setting a higher bar here, which may be sufficient to deter
>> a lot of bots and script kiddies for the next few years, but it's not
>> enough against nation-state or serious professional level attacks.
>
> To be fair though - if I was sitting on information of sufficient
value that I
> was a legitimate target for nation-state TLAs and similarly well funded
> criminal organizations, I'd have to think long and hard whether I
wanted to
> vector my e-mails through Google. It isn't even the certificate management
> issue - it's because if I was in fact the target of such attention, my
threat
> model had better well include "adversary attempts to use legal and
extralegal
> means to get at my data from within Google's infrastructure".
>
> "Operation Aurora".
Well, the "bar" started at something as trivial as FireSheep. And I'm
sure many more silly (in retrospect) exploits remain to be discovered in
any cloud-based infrastructure (the bigger the cloud, the bigger the
target, the greater the potential damages/losses).
And a lot of infrastructure remains vulnerable to something as trivial
as FireSheep.
Jeff
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iEYEARECAAYFAlDk/dUACgkQiwXJq373XhYS6QCgtUyTSNHg8zXA5JxECi/c1Jd+
oDsAn0sSG3nZXSmKWUz2+wZ/1P3EXsps
=B0X3
-----END PGP SIGNATURE-----
