Gmail and SSL
bill at herrin.us
Thu Jan 3 00:35:49 UTC 2013
On Wed, Jan 2, 2013 at 5:38 PM, John R. Levine <johnl at iecc.com> wrote:
>> Are you, at this moment, able to acquire a falsely signed certificate
>> for www.herrin.us that my web browser will accept?
> Me, no, although I have read credible reports that otherwise reputable SSL
> signers have issued MITM certs to governments for their filtering firewalls.
The governments in question are watching for exfiltration and they
largely use a less risky approach: they issue their own root key and,
in most cases, install it in the government employees' browser before
handing them the machine.
A "reputable" SSL signer would have to get outed just once issuing a
government a resigning cert and they'd be kicked out of all the
browsers. They'd be awfully easy to catch.
William D. Herrin ................ herrin at dirtside.com bill at herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004
More information about the NANOG