Gmail and SSL

George Herbert george.herbert at
Wed Jan 2 22:43:23 UTC 2013

On Wed, Jan 2, 2013 at 2:27 PM, William Herrin <bill at> wrote:
> On Wed, Jan 2, 2013 at 3:10 PM, George Herbert <george.herbert at> wrote:
>> On Wed, Jan 2, 2013 at 11:36 AM, William Herrin <bill at> wrote:
>>> Communications using a key signed by a trusted
>>> third party suffer such attacks only with extraordinary difficulty on
>>> the part of the attacker. It's purely a technical matter.
>> While I agree with your general characterization of MIIM, the
>> "extraordinary difficulty" here is not supported.
> AFAICT someone finds a way to get themselves a certificate for a
> domain they don't control every couple years or so. The hole is
> promptly plugged (and the certs revoked) before much actually happens
> as a result. Has your experience been different?
> Are you, at this moment, able to acquire a falsely signed certificate
> for that my web browser will accept?
> You're right that false certificates have been issued in the past.
> You're right that false certificates will be issued again in the
> future. No security apparatus is 100% effective. But if despite your
> resources you in particular can't make it happen in a timely manner,
> that's a meaningful barrier to mounting a man-in-the-middle attack
> against someone using properly signed certificates.
> Regards,
> Bill Herrin

There are three vectors of attack:

One, asking a CA for a cert in someone else's name and it gets issued.
 As you noted, generally discovered pretty quickly and shut down, but
there's no robust external verification for the discovery process.
Also, the verifications the CAs perform to validate the user could be
subverted, as noted earlier in conversation, so they could receive
false assurances that it was the right entity asking for the keys.
That subversion could happen via registrar account hacking (known
problem) among other places, along with technical measures to monitor
unencrypted validation emails sent to proper authoritative domain
contact emails.

Two, a CA's keys can go walking (either due to technical penetration
or human corruption), and then external parties can issue their own
certs as if they were the CA.  If identified the CA can revoke its own
key and re-issue all the client certs from a new one, but someone
needs to identify that it happened.  This is alleged to have happened
at least twice, once of which the CA was shut down over, the other one
of which became opaque and ambiguous, and therefore untrustworthy.

Three, there may be crypto flaws we don't know about still lingering,
or a CA could choose easily factored numbers by bad luck and someone
could luck out grinding them.  Not a high risk (anyone SHOULD grind
their own keys some to check them for that) but nonzero.

Can I go get a key for your site right now?  I'm not going to spend
the afternoon trying (I'm working for a living) but I am reasonably
sure I could do so.  Lax checks by CAs are well described elsewhere.

If push came to shove and minor legalities were not restraining me, I
recall (without checking) your domain's emails come to your home, and
your DSL or cable line is sniffable, so any of the CA who email URL
validators out could be trivially temporarily spoofed (until you read
your email and responded) by tapping your data lines.  BGP games to
snarf your traffic are another venue, possibly not yet even covered by
wiretap laws that I know of, though I'm not currently an ISP in a
position to personally do that to you.

The same is possible but slightly harder for midsized corporate
entities.  Still possible but much harder for large ones.

If you're going to argue that that's cheating, that IS the threat envelope...

-george william herbert
george.herbert at

More information about the NANOG mailing list