[159283] in North American Network Operators' Group
Re: Gmail and SSL
daemon@ATHENA.MIT.EDU (Michael Thomas)
Thu Jan 3 08:37:13 2013
Date: Thu, 03 Jan 2013 05:36:48 -0800
From: Michael Thomas <mike@mtcc.com>
To: Damian Menscher <damian@google.com>
In-Reply-To: <CABSP1Od43UYymgbUDFF5CJnEHwTCHC=NzczHpsMW4xfE5qLJmg@mail.gmail.com>
Cc: John Levine <johnl@iecc.com>, nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 01/02/2013 09:14 PM, Damian Menscher wrote:
> Back on topic: encryption without knowing who you're talking to is worse
> than useless (hence no self-signed certs which provide a false sense of
> security),
In fact, it's very useful -- what do you think the initial diffie-hellman
exchanges are doing with pfs? Encryption without (strong) authentication
is still useful for dealing with passive listening. It's a shame, for example,
that wifi security doesn't encrypt everything on an open AP to require
attacks be active rather than passive. It's really easy to just scan the
airwaves, but I probably don't need to remind you of that.
Mike
