Gmail and SSL

Christopher Morrow christopher.morrow at
Thu Jan 3 03:04:26 UTC 2013

On Wed, Jan 2, 2013 at 8:51 PM, William Herrin <bill at> wrote:
> secure cryptosystems." Has the EFF's SSL Observatory project detected
> even one case of a fake certificate under Etilisat's trust chain since
> then?

it's possible that the observatory won't see these in the wild, if the
observatory is on the wrong side of the connection. According to the
code EFF uses:

it looks like they simply portscanned 0/0 for tcp/443 listeners, then
grabbed certs from the respondents. In the cases we're talking about
in this thread EFF's observatory may never be in the middle of the

In the cases of Etisalat (or one use they may have) the scanners may
not be behind etisalat's piece of gear which uses the CA cert in
question.  "not observed in the wild" isn't really a good judge for
this particular problem I think :(

As to why the Etisalat cert isn't  yet removed, I wouldn't know... it
seems a bit fishy though.


More information about the NANOG mailing list