> Sent: Thursday, January 3, 2013 9:01:09 AM
> Subject: Re: Gmail and SSL
> On Thu, Jan 3, 2013 at 12:14 AM, Damian Menscher
> wrote:
> > Back on topic: encryption without knowing who you're talking to is
> > worse
> > than useless (hence no self-signed certs
On 1/3/2013 9:08 PM, Jimmy Hess wrote:
I am not sure why this would be classified as a feature request. If it
is impacting you, and you had service before, then is an
Outage/Defect/Bug, full stop. Describing working service for a
previously supported scenario as a "feature request" would be be
On 1/3/13, Maxim Khitrov wrote:
> On Thu, Jan 3, 2013 at 12:14 AM, Damian Menscher wrote:
> I talked to Google Apps support a few weeks ago, sent them a link to
> this discussion, but all they could do is file a feature request.
I am not sure why this would be classified as a feature request.
I
other relevant links for this:
http://krebsonsecurity.com/2013/01/turkish-govt-enabled-phishers-to-spoof-google/
http://technet.microsoft.com/en-us/security/advisory/2798897
On Thu, Jan 3, 2013 at 4:25 PM, Steven Bellovin wrote:
>
> On Jan 3, 2013, at 3:52 PM, Matthias Leisi wrote:
>
>> On Thu,
On Jan 3, 2013, at 3:52 PM, Matthias Leisi wrote:
> On Thu, Jan 3, 2013 at 4:59 AM, Damian Menscher wrote:
>
>
>> While I'm writing, I'll also point out that the Diginotar hack which came
>> up in this discussion as an example of why CAs can't be trusted was
>> discovered due to a feature of
On Thu, Jan 3, 2013 at 4:59 AM, Damian Menscher wrote:
> While I'm writing, I'll also point out that the Diginotar hack which came
> up in this discussion as an example of why CAs can't be trusted was
> discovered due to a feature of Google's Chrome browser when a cert was
>
Similar to
http://g
On Thu, Jan 3, 2013 at 12:14 AM, Damian Menscher wrote:
> Back on topic: encryption without knowing who you're talking to is worse
> than useless (hence no self-signed certs which provide a false sense of
> security), and there are usability difficulties with exposing strong
> security to the aver
On 01/02/2013 09:14 PM, Damian Menscher wrote:
Back on topic: encryption without knowing who you're talking to is worse
than useless (hence no self-signed certs which provide a false sense of
security),
In fact, it's very useful -- what do you think the initial diffie-hellman
exchanges are doin
On Wed, 02 Jan 2013 21:14:31 -0800, Damian Menscher said:
> We're off-topic, but that decision needs to be weighed against the
> alternatives. If your alternative is running your own mailserver at home,
> then your risks are:
Let's face it - if a nation-state has you in the crosshairs, digital
o
On Wed, Jan 2, 2013 at 8:52 PM, wrote:
> On Wed, 02 Jan 2013 19:59:35 -0800, Damian Menscher said:
> > Aurora compromised at least 20 other companies, failed at its assumed
> > objective of seeing user data, and Google was the only organization to
> > notice, let alone have the guts to expose the
On Wed, 02 Jan 2013 19:59:35 -0800, Damian Menscher said:
> Aurora compromised at least 20 other companies, failed at its assumed
> objective of seeing user data, and Google was the only organization to
> notice, let alone have the guts to expose the attack [0]. And you're going
> to hold that aga
On Wed, Jan 2, 2013 at 7:31 PM, wrote:
> On Wed, 02 Jan 2013 12:10:55 -0800, George Herbert said:
>
> > Google is setting a higher bar here, which may be sufficient to deter
> > a lot of bots and script kiddies for the next few years, but it's not
> > enough against nation-state or serious profes
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 1/2/2013 10:31 PM, valdis.kletni...@vt.edu wrote:
> On Wed, 02 Jan 2013 12:10:55 -0800, George Herbert said:
>
>> Google is setting a higher bar here, which may be sufficient to deter
>> a lot of bots and script kiddies for the next few years, but
On Wed, Jan 2, 2013 at 7:31 PM, wrote:
> On Wed, 02 Jan 2013 12:10:55 -0800, George Herbert said:
>
>> Google is setting a higher bar here, which may be sufficient to deter
>> a lot of bots and script kiddies for the next few years, but it's not
>> enough against nation-state or serious professio
On Wed, 02 Jan 2013 12:10:55 -0800, George Herbert said:
> Google is setting a higher bar here, which may be sufficient to deter
> a lot of bots and script kiddies for the next few years, but it's not
> enough against nation-state or serious professional level attacks.
To be fair though - if I wa
On Wed, Jan 2, 2013 at 8:51 PM, William Herrin wrote:
> secure cryptosystems." Has the EFF's SSL Observatory project detected
> even one case of a fake certificate under Etilisat's trust chain since
> then?
it's possible that the observatory won't see these in the wild, if the
observatory is on t
On 1/2/13, Steven Bellovin wrote:
[snip]
It's ashame they've stuck with a hardcoded list of "Acceptable CAs"
for certain certificates; that would be very difficult to update. The
major banks, Facebook, Hotmail, etc, possibly have not made a
promise to anyone, that all their future new renewal c
William Herrin wrote:
> The governments in question are watching for exfiltration and they
> largely use a less risky approach: they issue their own root key and,
That is a trusted first party.
Masataka Ohta
On Jan 2, 2013, at 8:25 PM, Seth David Schoen wrote:
> Steven Bellovin writes:
>
>> The only Chrome browser I have lying around right now is on a Nexus 7 tablet;
>> I don't see any way to list the pinned certs from the browser. There is a
>> list at http://www.chromium.org/administrators/polic
,nanog@nanog.org
Subject: Re: Gmail and SSL
In resp, On 1/2/13, valdis.kletni...@vt.edu wrote:
> There's a bit more trust (not much, but a bit) to be attached to a
> cert signed by a reputable CA over and above that you should attach
> to a self-signed cert you've never seen before.
[snip]
Absolutely. A certificate whose fingerprint has p
On Wed, Jan 2, 2013 at 8:39 PM, Christopher Morrow
wrote:
> On Wed, Jan 2, 2013 at 8:03 PM, Christopher Morrow
> wrote:
>> On Jan 2, 2013 7:36 PM, "William Herrin" wrote:
>>> A "reputable" SSL signer would have to get outed just once issuing a
>>> government a resigning cert and they'd be kicked
On Wed, Jan 2, 2013 at 8:03 PM, Christopher Morrow
wrote:
>
> On Jan 2, 2013 7:36 PM, "William Herrin" wrote:
>>
>
>> >
>> > Me, no, although I have read credible reports that otherwise reputable
>> > SSL
>> > signers have issued MITM certs to governments for their filtering
>> > firewalls.
>>
>
On Wed, Jan 02, 2013 at 07:35:49PM -0500, William Herrin wrote:
> A "reputable" SSL signer would have to get outed just once issuing a
> government a resigning cert and they'd be kicked out of all the
> browsers. They'd be awfully easy to catch.
I believe Honest Achmed said it best:
"In any case
Steven Bellovin writes:
> The only Chrome browser I have lying around right now is on a Nexus 7 tablet;
> I don't see any way to list the pinned certs from the browser. There is a
> list at http://www.chromium.org/administrators/policy-list-3, and while I
> don't know how current it is you'll not
On Jan 2, 2013 7:36 PM, "William Herrin" wrote:
>
> >
> > Me, no, although I have read credible reports that otherwise reputable
SSL
> > signers have issued MITM certs to governments for their filtering
firewalls.
>
That's not the case join is referring to.
> The governments in question are wat
Yo William!
On Wed, 2 Jan 2013 19:42:16 -0500
William Herrin wrote:
> On Wed, Jan 2, 2013 at 5:43 PM, George Herbert
> wrote:
> > If push came to shove and minor legalities were not restraining me,
> > I recall (without checking) your domain's emails come to your home,
> > and your DSL or cable
On Wed, Jan 2, 2013 at 5:43 PM, George Herbert wrote:
> If push came to shove and minor legalities were not restraining me, I
> recall (without checking) your domain's emails come to your home, and
> your DSL or cable line is sniffable, so any of the CA who email URL
> validators out could be triv
On Wed, Jan 2, 2013 at 5:38 PM, John R. Levine wrote:
>> Are you, at this moment, able to acquire a falsely signed certificate
>> for www.herrin.us that my web browser will accept?
>
> Me, no, although I have read credible reports that otherwise reputable SSL
> signers have issued MITM certs to go
On Jan 2, 2013, at 7:15 PM, Randy Bush wrote:
>> Do you run Cert Patrol (a Firefox extension) in your browser?
>
> yes, but my main browser is chrome (ff does poorly with nine windows and
> 60+ tabs). there is some sort of pinning, or at least discussion of it.
> but it is not clear what is ac
> Do you run Cert Patrol (a Firefox extension) in your browser?
yes, but my main browser is chrome (ff does poorly with nine windows and
60+ tabs). there is some sort of pinning, or at least discussion of it.
but it is not clear what is actually provided. and i don't see evidence
of churn report
On Wed, Jan 2, 2013 at 2:27 PM, William Herrin wrote:
> On Wed, Jan 2, 2013 at 3:10 PM, George Herbert
> wrote:
>> On Wed, Jan 2, 2013 at 11:36 AM, William Herrin wrote:
>>> Communications using a key signed by a trusted
>>> third party suffer such attacks only with extraordinary difficulty on
Are you, at this moment, able to acquire a falsely signed certificate
for www.herrin.us that my web browser will accept?
Me, no, although I have read credible reports that otherwise reputable SSL
signers have issued MITM certs to governments for their filtering
firewalls.
Regards,
John Levin
On Wed, Jan 2, 2013 at 3:24 PM, Christopher Morrow
wrote:
> I think though that the 'a question for the information owner' is
> great, except that I doubt most of them are equipped with enough
> information to make the judgement themselves.
Much of the evil in the world starts with the presumptio
On Wed, Jan 2, 2013 at 3:10 PM, George Herbert wrote:
> On Wed, Jan 2, 2013 at 11:36 AM, William Herrin wrote:
>> Communications using a key signed by a trusted
>> third party suffer such attacks only with extraordinary difficulty on
>> the part of the attacker. It's purely a technical matter.
>
On Wed, Jan 2, 2013 at 2:36 PM, William Herrin wrote:
> On Wed, Jan 2, 2013 at 1:39 PM, Christopher Morrow
> wrote:
>> goodness-scale (goodness to the left)
>> signed > self-signed > unsigned
>
> Hi Chris,
>
> Self-signed and unsigned are identical. The "goodness" scale is:
>
> Encrypted & Verif
On Wed, Jan 2, 2013 at 11:36 AM, William Herrin wrote:
> Communications using a key signed by a trusted
> third party suffer such attacks only with extraordinary difficulty on
> the part of the attacker. It's purely a technical matter.
While I agree with your general characterization of MIIM, the
On Wed, Jan 2, 2013 at 1:39 PM, Christopher Morrow
wrote:
> goodness-scale (goodness to the left)
> signed > self-signed > unsigned
Hi Chris,
Self-signed and unsigned are identical. The "goodness" scale is:
Encrypted & Verified (signed) > Encrypted Unsigned (or self-signed,
same difference) >
On Wed, Jan 2, 2013 at 1:08 PM, William Herrin wrote:
> As for Google (and anyone else) it escapes me why you would require a
> signed certificate for any connection that you're willing to also
> permit completely unencrypted. Encryption stops nearly every purely
raising the bar for observers is
On Sun, Dec 30, 2012 at 10:46 PM, John Levine wrote:
> So the only assurance a signed cert provides is that the person who
> got the cert has some authority over a name that points to the mail
> client
What other assurance are you looking for?
The only point of a signed server certificate, the O
On Jan 2, 2013, at 7:53 AM, valdis.kletni...@vt.edu wrote:
> On Sun, 30 Dec 2012 19:25:04 -0600, Jimmy Hess said:
>
>> I would say those claiming certificates from a public CA provide no
>> assurance of authentication of server identity greater than that of a
>> self-signed one would have the bu
On Sun, 30 Dec 2012 19:25:04 -0600, Jimmy Hess said:
> I would say those claiming certificates from a public CA provide no
> assurance of authentication of server identity greater than that of a
> self-signed one would have the burden of proof to show that it is no
> less likely for an attempted f
brokedness
in the UI might be a good idea as well.
Sent from Samsung Mobile
Original message
From: Scott Howard
Date:
To: "John R. Levine"
Cc: nanog@nanog.org
Subject: Re: Gmail and SSL
On 1 January 2013 19:04, Keith Medcalf wrote:
> Perhaps Googles other "harvesters" and the government agents they sell or
> give user credentials to, don't work against privately (not under the
> goverment thumb) encryption keys without the surveillance state expending
> significantly more reso
On Tue, Jan 01, 2013 at 12:04:16PM -0700, Keith Medcalf wrote:
> Perhaps the cheapest way to solve this is to apply thumbscrews and have
> google require the use of co-option freindly keying material by their
> victims errr customers errr users.
ITYM "product".
- Matt
On Mon, Dec 31, 2012 at 6:07 AM, John R. Levine wrote:
> Really, this isn't hard to understand. Current SSL signers do no more
> than tie the identity of the cert to the identity of a domain name. Anyone
> who's been following the endless crisis at ICANN about bogus WHOIS knows
> that domain nam
On Tue, Jan 1, 2013 at 2:04 PM, Keith Medcalf wrote:
> Perhaps Googles other "harvesters" and the government agents they sell or
> give user credentials to, don't work against privately (not under the
> goverment thumb) encryption keys without the surveillance state expending
> significantly more
olve this is to apply thumbscrews and have google
require the use of co-option freindly keying material by their victims errr
customers errr users.
Sent from Samsung Mobile
Original message
From: Christopher Morrow
Date:
To: "John R. Levine"
Cc: nanog@nanog.org
Subject: Re: Gmail and SSL
On Mon, Dec 31, 2012 at 9:07 AM, John R. Levine wrote:
> Also keep in mind that this particular argument is about the certs used to
> submit mail to Gmail, which requires a separate SMTP AUTH within the SSL
> session before you can send any mail. This isn't belt and suspenders, this
> is belt and
However, the procedures required to exploit these weaknesses are
slightly more complicated than simply producing a self-signed
certificate on the fly for man in the middle use -- they require
planning, a waiting period, because CAs do not typically issue
immediately.
Hmmn, I guess I was ri
On Sun, Dec 30, 2012 at 10:26:36PM -0600, Jimmy Hess wrote:
> These CA's will normally require interactions be done through a web
> site, there will often be captchas or other methods involved in
> applying for a certificate that are difficult to automate.
You're kidding, right? Captchas have bee
On 12/30/12, John Levine wrote:
> Do you ever buy SSL certificates? For cheap certificates ($9
> Geotrust, $8 Comodo, free Startcom, all accepted by Gmail), the
> entirety of the identity validation is to send an email message to an
> address associated with the domain, typically one of the WHOIS
>I would say those claiming certificates from a public CA provide no
>assurance of authentication of server identity greater than that of a
>self-signed one would have the burden of proof to show that it is no
>less likely for an attempted forger to be able to obtain a false
>"bought" certificate f
On 12/30/12, Keith Medcalf wrote:
> Your assertion that using "bought" certificates provides any security
> benefit whatsoever assumes facts not in evidence.
I would say those claiming certificates from a public CA provide no
assurance of authentication of server identity greater than that of a
s
"theatrics"
and false assumtions if they want to do so.
Sent from Samsung Mobile
Original message
From: Christopher Morrow
Date:
To: kmedcalf
Cc: mysi...@gmail.com,nanog@nanog.org
Subject: Re: Gmail and SSL
On Sun, Dec 30, 2012 at 3:30 PM, Keith Medcalf wrote:
> Your assertion that using "bought" certificates provides any security benefit
> whatsoever assumes facts not in evidence.
>
> Given recent failures in this space I would posit that the requirement to use
> certificates purchased from entiti
Date:
To: Randy
Cc: NANOG list
Subject: Re: Gmail and SSL
On 12/14/12, Randy wrote:
[snip]
> It explained that google is no longer accepting self signed ssl
> certificates. It claims that this change will "offer[s] a higher level of
> security to better protect your information".
Hm... Self-signed certificates, or (worse) the use of hostnames not
o
On 12/29/2012 7:41 PM, Mark - Syminet wrote:
On Dec 14, 2012, at 7:52 AM, Peter Kristolaitis wrote:
On 12/14/2012 10:47 AM, Randy wrote:
I don't have hundreds of dollars to get my ssl certificates signed
You can get single-host certificates issued for free from StartSSL, or for very
cheaply
On Fri, 14 Dec 2012, Christopher Morrow wrote:
> On Fri, Dec 14, 2012 at 6:03 PM, Peter Kristolaitis
> wrote:
> > In my experience, free/cheap certs "not working" on some clients is, in
> > 99.9% of cases, a misconfiguration error where the server isn't presenting
> > the cert chain properly (us
On Fri, Dec 14, 2012 at 6:03 PM, Peter Kristolaitis wrote:
> In my experience, free/cheap certs "not working" on some clients is, in
> 99.9% of cases, a misconfiguration error where the server isn't presenting
> the cert chain properly (usually omitting the intermediate cert), which
> works on som
s point back to a root certificate in client
machines and/or software.
matthew black
california state university, long beach
-Original Message-
From: Peter Kristolaitis [mailto:alte...@alter3d.ca]
Sent: Friday, December 14, 2012 7:53 AM
To: nanog@nanog.org
Subject: Re: Gmail and SSL
On 12/1
[mailto:alte...@alter3d.ca]
Sent: Friday, December 14, 2012 7:53 AM
To: nanog@nanog.org
Subject: Re: Gmail and SSL
On 12/14/2012 10:47 AM, Randy wrote:
> I don't have hundreds of dollars to get my ssl certificates signed
You can get single-host certificates issued for free from StartSSL, or
On Fri, Dec 14, 2012 at 12:04 PM, Eugen Leitl wrote:
> On Fri, Dec 14, 2012 at 11:36:08AM -0500, Christopher Morrow wrote:
>
>> > Seconded. I was a hold-out for a long time on personal stuff - I trust
>> > me, I'm not paying someone else to trust me - but StartSSL makes a lot of
>> > the pain g
On Fri, Dec 14, 2012 at 11:36:08AM -0500, Christopher Morrow wrote:
> > Seconded. I was a hold-out for a long time on personal stuff - I trust me,
> > I'm not paying someone else to trust me - but StartSSL makes a lot of the
> > pain go away with minimal effort.
> >
>
> because paying for rand
On Fri, Dec 14, 2012 at 11:21 AM, Tim Franklin wrote:
>> http://www.startssl.com/
>>
>> Their certs are free and, from what I hear, are accepted by Google.
>
> Seconded. I was a hold-out for a long time on personal stuff - I trust me,
> I'm not paying someone else to trust me - but StartSSL make
On Fri, Dec 14, 2012 at 10:52 AM, Peter Kristolaitis wrote:
> On 12/14/2012 10:47 AM, Randy wrote:
>>
>> I don't have hundreds of dollars to get my ssl certificates signed
>
>
> You can get single-host certificates issued for free from StartSSL, or for
> very cheaply (under $10) from low-cost prov
> http://www.startssl.com/
>
> Their certs are free and, from what I hear, are accepted by Google.
Seconded. I was a hold-out for a long time on personal stuff - I trust me, I'm
not paying someone else to trust me - but StartSSL makes a lot of the pain go
away with minimal effort.
Regards,
Tim
On 12/14/2012 10:47 AM, Randy wrote:
I don't have hundreds of dollars to get my ssl certificates signed
You can get single-host certificates issued for free from StartSSL, or
for very cheaply (under $10) from low-cost providers like CheapSSL.com.
I've never had a problem having my StartSSL c
On Fri, 14 Dec 2012 09:47:03 -0600
Randy wrote:
> I'm hoping to reach out to google's gmail engineers with this message,
> Today I noticed that for the past 3 days, email messages from my
> personal website's pop3 were not being received into my gmail inbox.
> Naturally, I figured that my pop3
70 matches
Mail list logo
