Gmail and SSL

William Herrin bill at herrin.us
Thu Jan 3 00:35:49 UTC 2013


On Wed, Jan 2, 2013 at 5:38 PM, John R. Levine <johnl at iecc.com> wrote:
>> Are you, at this moment, able to acquire a falsely signed certificate
>> for www.herrin.us that my web browser will accept?
>
> Me, no, although I have read credible reports that otherwise reputable SSL
> signers have issued MITM certs to governments for their filtering firewalls.

The governments in question are watching for exfiltration and they
largely use a less risky approach: they issue their own root key and,
in most cases, install it in the government employees' browser before
handing them the machine.

A "reputable" SSL signer would have to get outed just once issuing a
government a resigning cert and they'd be kicked out of all the
browsers. They'd be awfully easy to catch.

Regards,
Bill Herrin


-- 
William D. Herrin ................ herrin at dirtside.com  bill at herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004




More information about the NANOG mailing list