Gmail and SSL

Mike Jones mike at
Wed Jan 2 01:57:41 UTC 2013

On 1 January 2013 19:04, Keith Medcalf <kmedcalf at> wrote:
> Perhaps Googles other "harvesters" and the government agents they sell or give user credentials to, don't work against privately (not under the goverment thumb) encryption keys without the surveillance state expending significantly more resources.
> Perhaps the cheapest way to solve this is to apply thumbscrews and have google require the use of co-option freindly keying material by their victims errr customers errr users.

There is no difference in encryption terms between a certificate
signed by an external CA and a certificate signed by itself, in either
case only parties with the private key (which you should never send to
the CA) can decrypt messages encrypted with that public key.

Some CAs will offer to generate a key pair for you instead of managing
your own keys, however that merely demonstrates that those CAs (and
anyone who uses that service) don't know how the certificates they are
issuing are meant to work. If anyone other than the party directly
identified by the public key ever gets a copy of the private key then
those keys are no longer secure and the certificate should be revoked
immediately as it no longer has any meaning*.

But if you ignore facts (as most conspiracy theories do) and try to
argue it's part of a conspiracy to intercept data - we're talking
about hop by hop transport encryption not end to end content
encryption, google already have a copy of all the messages going
through their service anyway.

- Mike

* A CA signs to say "we have verified this is google", not "this is
either google or their CA or some other random person, well really we
don't have a clue who it is but someone gave us money to sign here" -
although the latter is probably more accurate in the real world.

More information about the NANOG mailing list