[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Gmail and SSL
On Wed, Jan 2, 2013 at 5:38 PM, John R. Levine <johnl at iecc.com> wrote:
>> Are you, at this moment, able to acquire a falsely signed certificate
>> for www.herrin.us that my web browser will accept?
>
> Me, no, although I have read credible reports that otherwise reputable SSL
> signers have issued MITM certs to governments for their filtering firewalls.
The governments in question are watching for exfiltration and they
largely use a less risky approach: they issue their own root key and,
in most cases, install it in the government employees' browser before
handing them the machine.
A "reputable" SSL signer would have to get outed just once issuing a
government a resigning cert and they'd be kicked out of all the
browsers. They'd be awfully easy to catch.
Regards,
Bill Herrin
--
William D. Herrin ................ herrin at dirtside.com bill at herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004
- Follow-Ups:
- Gmail and SSL
- From: christopher.morrow at gmail.com (Christopher Morrow)
- Gmail and SSL
- From: mpalmer at hezmatt.org (Matthew Palmer)
- Gmail and SSL
- From: mohta at necom830.hpcl.titech.ac.jp (Masataka Ohta)