Gmail and SSL

[johnl at iecc.com (John R. Levine)]

> However, the procedures required to exploit these weaknesses are
> slightly more complicated than simply  producing a self-signed
> certificate on the fly for man in the middle use --  they  require
> planning,  a waiting period,  because CAs  do not typically issue
> immediately.

Hmmn, I guess I was right, you haven't bought any certs lately.  Startcom 
typically issues on the spot, Comodo and Geotrust mail them to you within 
15 minutes.  I agree that 15 minutes is not exactly the same as 
immediately, but so what?

> And the use of credit card numbers;  either legitimate ones, which
> provide a trail to trace the attacker, or stolen ones, ...

or a prepaid card bought for cash at a convenience or grocery store.

Really, this isn't hard to understand.  Current SSL signers do no more 
than tie the identity of the cert to the identity of a domain name. 
Anyone who's been following the endless crisis at ICANN about bogus WHOIS 
knows that domain names do not reliably identify anyone.

> The only question is...   Does it provide an assurance that is at all
> stronger than a self-signed certificate that can be made on the fly?
>
> And it does...  not a strong one, but a slightly stronger one.

I supose to the extent that 0.2% is greater than 0.1%, perhaps.  But not 
enough for any sensible person to care.

Also keep in mind that this particular argument is about the certs used to 
submit mail to Gmail, which requires a separate SMTP AUTH within the SSL 
session before you can send any mail.  This isn't belt and suspenders, 
this is belt and a 1/16" inch piece of duct tape.

R's,
John