However, the procedures required to exploit these weaknesses are
slightly more complicated than simply producing a self-signed
certificate on the fly for man in the middle use -- they require
planning, a waiting period, because CAs do not typically issue
immediately.
Hmmn, I guess I was right, you haven't bought any certs lately. Startcom
typically issues on the spot, Comodo and Geotrust mail them to you within
15 minutes. I agree that 15 minutes is not exactly the same as
immediately, but so what?
And the use of credit card numbers; either legitimate ones, which
provide a trail to trace the attacker, or stolen ones, ...
or a prepaid card bought for cash at a convenience or grocery store.
Really, this isn't hard to understand. Current SSL signers do no more
than tie the identity of the cert to the identity of a domain name.
Anyone who's been following the endless crisis at ICANN about bogus WHOIS
knows that domain names do not reliably identify anyone.
The only question is... Does it provide an assurance that is at all
stronger than a self-signed certificate that can be made on the fly?
And it does... not a strong one, but a slightly stronger one.
I supose to the extent that 0.2% is greater than 0.1%, perhaps. But not
enough for any sensible person to care.
Also keep in mind that this particular argument is about the certs used to
submit mail to Gmail, which requires a separate SMTP AUTH within the SSL
session before you can send any mail. This isn't belt and suspenders,
this is belt and a 1/16" inch piece of duct tape.
R's,
John
