[cryptography] Gmail and SSL
- Forwarded message from Randy na...@afxr.net - From: Randy na...@afxr.net Date: Fri, 14 Dec 2012 09:47:03 -0600 To: NANOG list na...@nanog.org Subject: Gmail and SSL User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Thunderbird/17.0 I'm hoping to reach out to google's gmail engineers with this message, Today I noticed that for the past 3 days, email messages from my personal website's pop3 were not being received into my gmail inbox. Naturally, I figured that my pop3 service was down, but after some checking, every thing was working OK. I then checked gmail settings, and noticed some error. It explained that google is no longer accepting self signed ssl certificates. It claims that this change will offer[s] a higher level of security to better protect your information. I don't believe that this change offers better security. In fact it is now unsecured - I am unable to use ssl with gmail, I have had to select the plain-text pop3 option. I don't have hundreds of dollars to get my ssl certificates signed, and to top it off, gmail never notified me of an error with fetching my mail. How many of email accounts trying to grab mail are failing now? I bet thousands, as a self signed certificate is a valid way of encrypting the traffic. Please google, remove this requirement. Source: http://support.google.com/mail/bin/answer.py?hl=enanswer=21291ctx=gmail#strictSSL - End forwarded message - -- Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Interactive graph of the CA ecosystem
Hi, On Dec 14, 2012, at 4:25 AM, Ralph Holz h...@net.in.tum.de wrote: Root-CAs are pictured as red nodes, intermediate CAs are green. The node diameter scales logarithmically with the number of certificates signed by the node. Similarly, the color of the green nodes scales proportional to the diameter. Hm, I do have a question. Thawte EV has an outbound link to Thawte Root, similarly TUM has an outbound link to DFN. I would understand outbound as indicating the direction of the signature, i.e. DFN - TUM. So I would have expected the link between TUM and DFN to be inbound when I click on TUM. But it seems to be consistenly applied, so I guess that was a conscious choice? Well, we chose to represent the relationships between the certificates the other way round - the child certificates point to their parent CA. However, this is a purely semantical issue - for your point of view we just would have to reverse all links. […DFN Certificates and how they are granted...] Thank you very much, it is interesting to know the exact way this is done at the Moment. I also think that each Institution (like the TUM) can only issue certificates for a fixed set of domains. Other domains might require manual DFN intervention. But I am not a hundred percent positive about that - I mainly got that impression from some threads on the Mozilla bug tracker where they discussed the DFN. Have a nice day, Bernhard ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Interactive graph of the CA ecosystem
On Fri, Dec 14, 2012 at 11:10 AM, Bernhard Amann bernh...@icsi.berkeley.edu wrote: Hi, On Dec 14, 2012, at 4:25 AM, Ralph Holz h...@net.in.tum.de wrote: Root-CAs are pictured as red nodes, intermediate CAs are green. The node diameter scales logarithmically with the number of certificates signed by the node. Similarly, the color of the green nodes scales proportional to the diameter. Hm, I do have a question. Thawte EV has an outbound link to Thawte Root, similarly TUM has an outbound link to DFN. I would understand outbound as indicating the direction of the signature, i.e. DFN - TUM. So I would have expected the link between TUM and DFN to be inbound when I click on TUM. But it seems to be consistenly applied, so I guess that was a conscious choice? Well, we chose to represent the relationships between the certificates the other way round - the child certificates point to their parent CA. However, this is a purely semantical issue - for your point of view we just would have to reverse all links. To that end, have y'all thought of other views that would be interesting to have? Also, can you put more meta data along with the provider? Such as address, parent company, how long they've been a CA, (if it's known) how many certs they've signed? ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Interactive graph of the CA ecosystem
Hi, To that end, have y'all thought of other views that would be interesting to have? Also, can you put more meta data along with the provider? Such as address, parent company, how long they've been a CA, (if it's known) how many certs they've signed? Certainly nice information. @Bernhard: That information can be found in the Mozilla spreadsheet that Kathleen Wilson maintains in Google Docs. A Google search of moz.dev.sec.pol should yield it. Ralph -- Ralph Holz Network Architectures and Services Technische Universität München Phone +49 89 28918043 http://www.net.in.tum.de/de/mitarbeiter/holz/ PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] London Hum Used to Timestamp Recordings
On Fri, Dec 14, 2012 at 5:56 AM, mhey...@gmail.com mhey...@gmail.com wrote: I hope they kept that recording secret. Anybody can start recording now and then backdate things like recorded verbal agreements. I think you underestimate the difficulty of *removing* hum from a recording. -- Taral tar...@gmail.com Please let me know if there's any further trouble I can give you. -- Unknown ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Gmail and SSL
On Fri, Dec 14, 2012 at 10:51 AM, Eugen Leitl eu...@leitl.org wrote: - Forwarded message from Randy na...@afxr.net - From: Randy na...@afxr.net Date: Fri, 14 Dec 2012 09:47:03 -0600 To: NANOG list na...@nanog.org Subject: Gmail and SSL User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Thunderbird/17.0 I'm hoping to reach out to google's gmail engineers with this message, Today I noticed that for the past 3 days, email messages from my personal website's pop3 were not being received into my gmail inbox. Naturally, I figured that my pop3 service was down, but after some checking, every thing was working OK. I then checked gmail settings, and noticed some error. It explained that google is no longer accepting self signed ssl certificates. It claims that this change will offer[s] a higher level of security to better protect your information. I don't believe that this change offers better security. In fact it is now unsecured - I am unable to use ssl with gmail, I have had to select the plain-text pop3 option. I don't have hundreds of dollars to get my ssl certificates signed, and to top it off, gmail never notified me of an error with fetching my mail. How many of email accounts trying to grab mail are failing now? I bet thousands, as a self signed certificate is a valid way of encrypting the traffic. Please google, remove this requirement. Source: http://support.google.com/mail/bin/answer.py?hl=enanswer=21291ctx=gmail#strictSSL Ah, interesting. I first encountered this debate in New York over opportunistic encryption in mail servers via STARTTLS (and the security controls surrounding it). Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Gmail and SSL
On 2012-12-15 1:51 AM, Eugen Leitl wrote: - Forwarded message from Randy na...@afxr.net - From: Randy na...@afxr.net Date: Fri, 14 Dec 2012 09:47:03 -0600 To: NANOG list na...@nanog.org Subject: Gmail and SSL User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Thunderbird/17.0 I'm hoping to reach out to google's gmail engineers with this message, Today I noticed that for the past 3 days, email messages from my personal website's pop3 were not being received into my gmail inbox. Naturally, I figured that my pop3 service was down, but after some checking, every thing was working OK. I then checked gmail settings, and noticed some error. It explained that google is no longer accepting self signed ssl certificates. It claims that this change will offer[s] a higher level of security to better protect your information. I don't believe that this change offers better security. In fact it is now unsecured - I am unable to use ssl with gmail, I have had to select the plain-text pop3 option. From the point of view of the state, the big advantage of SSL certificates signed by an authority, is that there are plenty of authorities that will sign anything the state tells them to. If, for example, your website is e-gold.com, this leads to problems. Google has a propensity to favor state friendly solutions - more particularly, solutions friendly to the US Government, but not the Chinese or Russian government. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Gmail and SSL
I don't have hundreds of dollars to get my ssl certificates signed, ... I don't have a strong opinion either way about Gmail's new signing requirement, but if the issue is money, Startcom's free certs seem to satisfy Gmail. Once you set up an account, it takes about five minutes to get a cert issued. I got one for my mail server this morning. https://www.startssl.com/ ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography