Gmail and SSL
John R. Levine
johnl at iecc.com
Mon Dec 31 14:07:11 UTC 2012
> However, the procedures required to exploit these weaknesses are
> slightly more complicated than simply producing a self-signed
> certificate on the fly for man in the middle use -- they require
> planning, a waiting period, because CAs do not typically issue
Hmmn, I guess I was right, you haven't bought any certs lately. Startcom
typically issues on the spot, Comodo and Geotrust mail them to you within
15 minutes. I agree that 15 minutes is not exactly the same as
immediately, but so what?
> And the use of credit card numbers; either legitimate ones, which
> provide a trail to trace the attacker, or stolen ones, ...
or a prepaid card bought for cash at a convenience or grocery store.
Really, this isn't hard to understand. Current SSL signers do no more
than tie the identity of the cert to the identity of a domain name.
Anyone who's been following the endless crisis at ICANN about bogus WHOIS
knows that domain names do not reliably identify anyone.
> The only question is... Does it provide an assurance that is at all
> stronger than a self-signed certificate that can be made on the fly?
> And it does... not a strong one, but a slightly stronger one.
I supose to the extent that 0.2% is greater than 0.1%, perhaps. But not
enough for any sensible person to care.
Also keep in mind that this particular argument is about the certs used to
submit mail to Gmail, which requires a separate SMTP AUTH within the SSL
session before you can send any mail. This isn't belt and suspenders,
this is belt and a 1/16" inch piece of duct tape.
More information about the NANOG