Gmail and SSL

Kyle Creyts kyle.creyts at gmail.com
Thu Jan 3 21:30:06 UTC 2013


other relevant links for this:
http://krebsonsecurity.com/2013/01/turkish-govt-enabled-phishers-to-spoof-google/
http://technet.microsoft.com/en-us/security/advisory/2798897

On Thu, Jan 3, 2013 at 4:25 PM, Steven Bellovin <smb at cs.columbia.edu> wrote:
>
> On Jan 3, 2013, at 3:52 PM, Matthias Leisi <matthias at leisi.net> wrote:
>
>> On Thu, Jan 3, 2013 at 4:59 AM, Damian Menscher <damian at google.com> wrote:
>>
>>
>>> While I'm writing, I'll also point out that the Diginotar hack which came
>>> up in this discussion as an example of why CAs can't be trusted was
>>> discovered due to a feature of Google's Chrome browser when a cert was
>>>
>>
>> Similar to
>> http://googleonlinesecurity.blogspot.ch/2013/01/enhancing-digital-certificate-security.html?
>>
> Thanks; I was just about to post that link to this thread.
>
> Certificates don't spread virally, and random browsers don't go looking
> for whatever interesting certificates they find.  They also don't like
> certs that say "*.google.com" when the user is trying to go somewhere else;
> that web site would be non-functional unless it was trying to impersonate
> a Google domain.  Taken all together, this sounds to me like deliberate
> mischief by someone.  In fact, were it not for the facts that the blog
> post says that Google learned of this on December 24 and this thread started
> on December 14, I'd wonder if there was a connection -- was this the
> incident that made Google reassess its threat model?
>
> Of course, this attack was carried out within the official PKI framework...
>
>                 --Steve Bellovin, https://www.cs.columbia.edu/~smb
>
>
>
>
>
>



-- 
Kyle Creyts

Information Assurance Professional
BSidesDetroit Organizer




More information about the NANOG mailing list