Gmail and SSL

John Levine johnl at iecc.com
Mon Dec 31 03:46:45 UTC 2012


>I would say those claiming certificates from a public CA provide no
>assurance of authentication of server identity greater than that of a
>self-signed one would have the burden of proof to show that it is no
>less likely for an attempted forger to be able to obtain a false
>"bought" certificate from a public trusted CA that has audited
>certification practices statement,  a certificate improperly issued
>contrary to their CPS,  than to have created a self-issued false
>self-signed certificate.

Do you ever buy SSL certificates?  For cheap certificates ($9
Geotrust, $8 Comodo, free Startcom, all accepted by Gmail), the
entirety of the identity validation is to send an email message to an
address associated with the domain, typically one of the WHOIS
addresses, or hostmaster at domain, and look for a click on an embedded
URL.  Sometimes they flag names that look particularly funky, such as
typos of famous names, but usually they don't.

So the only assurance a signed cert provides is that the person who
got the cert has some authority over a name that points to the mail
client, which need have no connection to any email address used in
mail sent from that server.  That doesn't sound like "authentication
of server identity" to me.

R's,
John



More information about the NANOG mailing list