Re: [cryptography] Gmail and SSL
I don't understand much about CAs, but I know what paypal does: you paste your public key (while being logged in via ssl, of course) and THEY sign it for you. They also show you a "key id" string (don't remember exact name) that you should include inside the encrypted request (probably against a case where the key gets compromised, but not the app's config). The user/password auth pop3 has seems equivalent to that (at least to me). PR-wise (e.g. if there's a petition), maybe it's easier to explain this to laypeople (like me) along the lines of: "we want google to do what paypal does, but google says: privacy-via-bureaucracy or no privacy at all" and only in the fine-print dive into the way CAs work. Just a thought. On Tue, Dec 18, 2012 at 8:18 AM, James A. Donald wrote: > On 2012-12-18 1:25 AM, CodesInChaos wrote: > > One could require the user to specify/confirm a certificate fingerprint on > gmail in such a case. That way you're MitM proof, even with a self signed > certificate. > > > Who is the real you? Well, obviously the you that knows the gmail > password. > > Therefore, password should no be communicated in the clear. Gmail should > not care whether you have a validly signed certificate, but you should care > whether gmail has a validly signed certificate, and that it has the usual > signature. > > ___ > cryptography mailing list > cryptography@randombit.net > http://lists.randombit.net/mailman/listinfo/cryptography > > ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Gmail and SSL
On 2012-12-18 1:25 AM, CodesInChaos wrote: One could require the user to specify/confirm a certificate fingerprint on gmail in such a case. That way you're MitM proof, even with a self signed certificate. Who is the real you? Well, obviously the you that knows the gmail password. Therefore, password should no be communicated in the clear. Gmail should not care whether you have a validly signed certificate, but you should care whether gmail has a validly signed certificate, and that it has the usual signature. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Gmail and SSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/17/2012 11:18 AM, Andy Steingruebl wrote: > Do you have proof of that or just speculation? CAs have been compromised. A few: Comodo. Diginotar. KPN. If a lone attcker can crack a CA and cut arbitrary certs, a state-sponsored actor could as well. As for buying MITM certs for DLP: https://netsecurityit.wordpress.com/tag/data-loss-prevention/ http://www.theregister.co.uk/2012/02/09/tustwave_disavows_mitm_digital_cert/ Can a CA that's done this in the past be trusted not to do it again in the future? I don't think so. If one does it, that gives the idea to others, and they might not get caught. There is a lot of money that could be made selling them as well as a market for them (the same market for DLP hardware). See also, Jeff Walton's post earlier to this list. - -- The Doctor [412/724/301/703] [ZS|Media] Developer, Project Byzantium: http://project-byzantium.org/ PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ FizerPharm: Trust. Profit. Deniability. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlDPR5AACgkQO9j/K4B7F8Gr0QCgySnFFaFwKNhnC6zEdtQsAtgO qtQAniR0Z9a/k5KJmUe0QoK3X2DUmP7I =KJzz -END PGP SIGNATURE- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Gmail and SSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/15/2012 05:01 PM, James A. Donald wrote: > Recent MITM attacks have been by entities that are likely to be > able to coerce a CA. Or compromise them outright. Don't forget, there are a couple of CAs that sell signed certs for deployment in DLP hardware, too. - -- The Doctor [412/724/301/703] [ZS|Media] Developer, Project Byzantium: http://project-byzantium.org/ PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ FizerPharm: Trust. Profit. Deniability. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlDPRCwACgkQO9j/K4B7F8HMZQCcCXQo3wH9wLObfZOYG4p7u54G lbIAnRAkWFqvt0Ecty7F6tUmz4N1qutO =dTfC -END PGP SIGNATURE- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Gmail and SSL
One could require the user to specify/confirm a certificate fingerprint on gmail in such a case. That way you're MitM proof, even with a self signed certificate. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Gmail and SSL
On Sat, Dec 15, 2012 at 12:23 PM, Andy Steingruebl wrote: > I think what you really want is the ability within Google's interface to > specify how you'd like the certificate verified. yes; this is what i want. for Google to arbitrarily enforce a decision is dumb and not useful. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Gmail and SSL
On Sun, Dec 16, 2012 at 7:52 AM, ianG wrote: > On 16/12/12 02:41 AM, Ben Laurie wrote: >> >> On Sat, Dec 15, 2012 at 10:01 PM, James A. Donald >> wrote: >>> >>> On 2012-12-16 6:23 AM, Andy Steingruebl wrote: given some of the more recent attacks against Google (and Facebook's) customers they believe that active MiTM is actually a real threat, and would rather not pretend to protect you from it when they aren't, by using a self-signed certificate that they haven't verified in any way, even by you presenting it. >>> >>> >>> >>> Recent MITM attacks have been by entities that are likely to be able to >>> coerce a CA. >> >> >> This is why you need Certificate Transparency. > > > > Actually, we need a secure and private authentication system. If I was > reading that in Gmail I'd suppose that it would transparently link to here: > > http://www.certificate-transparency.org/ > > ;) As you say, that idea is a research idea. I didn't say that (that site may say it, I don't know, I haven't been keeping that site updated). In fact, Google is building it, right now. > We can only want it, we > cannot need it. I see several issues (4). > > Just looking at CAcert, by way of counter example. CAcert does not publish > its certificates because of privacy. That's actually quite a strong result, > and hard to avoid [1]. CT applies to public certificates. By definition, these are not private. If CAcert wants to issue private certs in a CT world, then I suspect some changes will be needed... > If one looks at Bitcoin or the recent many efforts > to track all certificates, this represents a gold mine of datamining > opportunities. Do our customers really want their security model to become > a public spectacle? Public certificates are already a public spectacle. I have no idea what Bitcoin has to do with this. > Also (2), the notion that an auditor would be a fair arbiter of what the > public wants is dead in the water. It's a non-starter. CT is not an arbiter of anything, it is an audit trail. > Also (3), as you > acknowledge, getting the CAs to change anything is difficult, the OODA cycle > is estimable at about a decade. I think we can move faster than that. CAs have already signed up to CT. > Which (thinking aloud) leaves cryptographic proofs that test the audit claim > needed, without revealing the certificate body. But that's a fairly tough > burden. Proving that my certificate is in the chain seems doable. But what > we are trying to prove is that every certificate is in the chain. Without > seeing every certificate. I do not agree that that is a goal. > Or more importantly, we want to prove that a certificate found in an MITM > was in the chain or not. > > But (4) we already have that, in a non-cryptographic way. If we find a > certificate that is apparently signed by say VeriSign root and was found in > an MITM, we can simply publish it with the facts. Verisign are then > encouraged to disclose (a) it was ours, (b) it wasn't ours, or (c) > ummm... The point of CT is precisely to make it possible to find MITM certs even when you are not the victim. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Gmail and SSL
On 16/12/12 02:41 AM, Ben Laurie wrote: On Sat, Dec 15, 2012 at 10:01 PM, James A. Donald wrote: On 2012-12-16 6:23 AM, Andy Steingruebl wrote: given some of the more recent attacks against Google (and Facebook's) customers they believe that active MiTM is actually a real threat, and would rather not pretend to protect you from it when they aren't, by using a self-signed certificate that they haven't verified in any way, even by you presenting it. Recent MITM attacks have been by entities that are likely to be able to coerce a CA. This is why you need Certificate Transparency. Actually, we need a secure and private authentication system. If I was reading that in Gmail I'd suppose that it would transparently link to here: http://www.certificate-transparency.org/ ;) As you say, that idea is a research idea. We can only want it, we cannot need it. I see several issues (4). Just looking at CAcert, by way of counter example. CAcert does not publish its certificates because of privacy. That's actually quite a strong result, and hard to avoid [1]. If one looks at Bitcoin or the recent many efforts to track all certificates, this represents a gold mine of datamining opportunities. Do our customers really want their security model to become a public spectacle? Also (2), the notion that an auditor would be a fair arbiter of what the public wants is dead in the water. It's a non-starter. Also (3), as you acknowledge, getting the CAs to change anything is difficult, the OODA cycle is estimable at about a decade. Which (thinking aloud) leaves cryptographic proofs that test the audit claim needed, without revealing the certificate body. But that's a fairly tough burden. Proving that my certificate is in the chain seems doable. But what we are trying to prove is that every certificate is in the chain. Without seeing every certificate. Or more importantly, we want to prove that a certificate found in an MITM was in the chain or not. But (4) we already have that, in a non-cryptographic way. If we find a certificate that is apparently signed by say VeriSign root and was found in an MITM, we can simply publish it with the facts. Verisign are then encouraged to disclose (a) it was ours, (b) it wasn't ours, or (c) ummm... iang [1] Byzantinely again, a CA has to avoid privacy to some extent as the PKI architecture is a privacy disaster. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Gmail and SSL
On 16/12/12 01:01 AM, James A. Donald wrote: On 2012-12-16 6:23 AM, Andy Steingruebl wrote: given some of the more recent attacks against Google (and Facebook's) customers they believe that active MiTM is actually a real threat, and would rather not pretend to protect you from it when they aren't, by using a self-signed certificate that they haven't verified in any way, even by you presenting it. Recent MITM attacks have been by entities that are likely to be able to coerce a CA. And, given that CA-signed client certs of a low grade are typically validated with an email confirmation, something that google itself retains core capabilities in, over & above the CAs, and indeed, the CA's validation will rely on google's gmail, the logic remains byzantine. Factory-certs are generally less secure than a self-signed, self-presented certificate. Indeed, musing aloud, it seems provable. iang ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Gmail and SSL
On Sat, Dec 15, 2012 at 10:01 PM, James A. Donald wrote: > On 2012-12-16 6:23 AM, Andy Steingruebl wrote: >> >> given some of the more recent attacks against Google (and Facebook's) >> customers they believe that active MiTM is actually a real threat, and would >> rather not pretend to protect you from it when they aren't, by using a >> self-signed certificate that they haven't verified in any way, even by you >> presenting it. > > > Recent MITM attacks have been by entities that are likely to be able to > coerce a CA. This is why you need Certificate Transparency. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Gmail and SSL
On 2012-12-16 6:23 AM, Andy Steingruebl wrote: given some of the more recent attacks against Google (and Facebook's) customers they believe that active MiTM is actually a real threat, and would rather not pretend to protect you from it when they aren't, by using a self-signed certificate that they haven't verified in any way, even by you presenting it. Recent MITM attacks have been by entities that are likely to be able to coerce a CA. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Gmail and SSL
On Sat, Dec 15, 2012 at 2:23 PM, ianG wrote: > ... > > This is a common error made by many security providers in the PKI space. > Their security logic mistake is to assume that the self-signed signature is > to be compared with something signed by an 'authority', rather than an > unsigned competitor. Right. Opportunistic encryption in email systems does not make the system less secure when compared to plain text SMTP. When it passed through my desk, I approved it (though something felt uncomfortable). Jeff > On 14/12/12 18:51 PM, Eugen Leitl wrote: >> >> - Forwarded message from Randy - >> >> From: Randy >> Date: Fri, 14 Dec 2012 09:47:03 -0600 >> To: NANOG list >> Subject: Gmail and SSL >> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; >> rv:17.0) Gecko/17.0 Thunderbird/17.0 >> >> I'm hoping to reach out to google's gmail engineers with this message, >> Today I noticed that for the past 3 days, email messages from my personal >> website's pop3 were not being received into my gmail inbox. Naturally, I >> figured that my pop3 service was down, but after some checking, every >> thing >> was working OK. I then checked gmail settings, and noticed some error. >> It explained that google is no longer accepting self signed ssl >> certificates. It claims that this change will "offer[s] a higher level of >> security to better protect your information". >> I don't believe that this change offers better security. In fact it is now >> unsecured - I am unable to use ssl with gmail, I have had to select the >> plain-text pop3 option. >> >> I don't have hundreds of dollars to get my ssl certificates signed, and to >> top it off, gmail never notified me of an error with fetching my mail. How >> many of email accounts trying to grab mail are failing now? I bet >> thousands, as a self signed certificate is a valid way of encrypting the >> traffic. >> >> Please google, remove this requirement. >> >> Source: >> >> http://support.google.com/mail/bin/answer.py?hl=en&answer=21291&ctx=gmail#strictSSL ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Gmail and SSL
I think what you really want is the ability within Google's interface to specify how you'd like the certificate verified. If the threat model they are defending against is MiTM, then merely accepting the certificate without prompting from you provides protection against passive eavesdropping only, not active MiTM. They've chosen to try and defend against those who can tinker with packets, not just observe them. You may disagree that this is the right threat to protect against (you might be more worried about the NSA observing packets for example, rather than tinkering with them) but given some of the more recent attacks against Google (and Facebook's) customers they believe that active MiTM is actually a real threat, and would rather not pretend to protect you from it when they aren't, by using a self-signed certificate that they haven't verified in any way, even by you presenting it. The obvious solution is to either: 1. Not use TLS 2. Default to CA signed certificates 3. Support other protocols or means for you to identify what keys and/or trust-anchors you trust. Given that Google actually controls the client-code in this case, it might actually a truly usable use-case for the newly minted CAA and TLSA (DANE) specifications. They can't be deployed most places (browsers) because of last-mile DNS tinkering by all of the middleboxes on people's networks, but that probably isn't the case where Google is connecting to your server, using theirs. Just a thought. - Andy On Fri, Dec 14, 2012 at 7:51 AM, Eugen Leitl wrote: > - Forwarded message from Randy - > > From: Randy > Date: Fri, 14 Dec 2012 09:47:03 -0600 > To: NANOG list > Subject: Gmail and SSL > User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; > rv:17.0) Gecko/17.0 Thunderbird/17.0 > > I'm hoping to reach out to google's gmail engineers with this message, > Today I noticed that for the past 3 days, email messages from my personal > website's pop3 were not being received into my gmail inbox. Naturally, I > figured that my pop3 service was down, but after some checking, every thing > was working OK. I then checked gmail settings, and noticed some error. > It explained that google is no longer accepting self signed ssl > certificates. It claims that this change will "offer[s] a higher level of > security to better protect your information". > I don't believe that this change offers better security. In fact it is now > unsecured - I am unable to use ssl with gmail, I have had to select the > plain-text pop3 option. > > I don't have hundreds of dollars to get my ssl certificates signed, and to > top it off, gmail never notified me of an error with fetching my mail. How > many of email accounts trying to grab mail are failing now? I bet > thousands, as a self signed certificate is a valid way of encrypting the > traffic. > > Please google, remove this requirement. > > Source: > > http://support.google.com/mail/bin/answer.py?hl=en&answer=21291&ctx=gmail#strictSSL > > - End forwarded message - > -- > Eugen* Leitl http://leitl.org";>leitl http://leitl.org > __ > ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org > 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE > ___ > cryptography mailing list > cryptography@randombit.net > http://lists.randombit.net/mailman/listinfo/cryptography > ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Gmail and SSL
On Fri, Dec 14, 2012 at 10:51 AM, Eugen Leitl wrote: > - Forwarded message from Randy - > > From: Randy > Date: Fri, 14 Dec 2012 09:47:03 -0600 > To: NANOG list > Subject: Gmail and SSL > User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; > rv:17.0) Gecko/17.0 Thunderbird/17.0 > > ... > > I don't have hundreds of dollars to get my ssl certificates signed, and to > top it off, gmail never notified me of an error with fetching my mail. How > many of email accounts trying to grab mail are failing now? I bet > thousands, as a self signed certificate is a valid way of encrypting the > traffic. Forgot to mention I believe StartCom will give you a certificate for free. Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Gmail and SSL
The presence of a self-signed signature cannot possibly be less secure than the non-presence of any signature. If they are rejecting self-signed sigs, then they must also logically reject unsigned provision. This is a common error made by many security providers in the PKI space. Their security logic mistake is to assume that the self-signed signature is to be compared with something signed by an 'authority', rather than an unsigned competitor. It is one of those enduring flaws that indicate that security isn't the objective with such systems. iang On 14/12/12 18:51 PM, Eugen Leitl wrote: - Forwarded message from Randy - From: Randy Date: Fri, 14 Dec 2012 09:47:03 -0600 To: NANOG list Subject: Gmail and SSL User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Thunderbird/17.0 I'm hoping to reach out to google's gmail engineers with this message, Today I noticed that for the past 3 days, email messages from my personal website's pop3 were not being received into my gmail inbox. Naturally, I figured that my pop3 service was down, but after some checking, every thing was working OK. I then checked gmail settings, and noticed some error. It explained that google is no longer accepting self signed ssl certificates. It claims that this change will "offer[s] a higher level of security to better protect your information". I don't believe that this change offers better security. In fact it is now unsecured - I am unable to use ssl with gmail, I have had to select the plain-text pop3 option. I don't have hundreds of dollars to get my ssl certificates signed, and to top it off, gmail never notified me of an error with fetching my mail. How many of email accounts trying to grab mail are failing now? I bet thousands, as a self signed certificate is a valid way of encrypting the traffic. Please google, remove this requirement. Source: http://support.google.com/mail/bin/answer.py?hl=en&answer=21291&ctx=gmail#strictSSL - End forwarded message - ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Gmail and SSL
>I don't have hundreds of dollars to get my ssl certificates signed, ... I don't have a strong opinion either way about Gmail's new signing requirement, but if the issue is money, Startcom's free certs seem to satisfy Gmail. Once you set up an account, it takes about five minutes to get a cert issued. I got one for my mail server this morning. https://www.startssl.com/ ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Gmail and SSL
On 2012-12-15 1:51 AM, Eugen Leitl wrote: - Forwarded message from Randy - From: Randy Date: Fri, 14 Dec 2012 09:47:03 -0600 To: NANOG list Subject: Gmail and SSL User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Thunderbird/17.0 I'm hoping to reach out to google's gmail engineers with this message, Today I noticed that for the past 3 days, email messages from my personal website's pop3 were not being received into my gmail inbox. Naturally, I figured that my pop3 service was down, but after some checking, every thing was working OK. I then checked gmail settings, and noticed some error. It explained that google is no longer accepting self signed ssl certificates. It claims that this change will "offer[s] a higher level of security to better protect your information". I don't believe that this change offers better security. In fact it is now unsecured - I am unable to use ssl with gmail, I have had to select the plain-text pop3 option. From the point of view of the state, the big advantage of SSL certificates signed by an authority, is that there are plenty of authorities that will sign anything the state tells them to. If, for example, your website is e-gold.com, this leads to problems. Google has a propensity to favor state friendly solutions - more particularly, solutions friendly to the US Government, but not the Chinese or Russian government. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Gmail and SSL
On Fri, Dec 14, 2012 at 10:51 AM, Eugen Leitl wrote: > - Forwarded message from Randy - > > From: Randy > Date: Fri, 14 Dec 2012 09:47:03 -0600 > To: NANOG list > Subject: Gmail and SSL > User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; > rv:17.0) Gecko/17.0 Thunderbird/17.0 > > I'm hoping to reach out to google's gmail engineers with this message, > Today I noticed that for the past 3 days, email messages from my personal > website's pop3 were not being received into my gmail inbox. Naturally, I > figured that my pop3 service was down, but after some checking, every thing > was working OK. I then checked gmail settings, and noticed some error. > It explained that google is no longer accepting self signed ssl > certificates. It claims that this change will "offer[s] a higher level of > security to better protect your information". > I don't believe that this change offers better security. In fact it is now > unsecured - I am unable to use ssl with gmail, I have had to select the > plain-text pop3 option. > > I don't have hundreds of dollars to get my ssl certificates signed, and to > top it off, gmail never notified me of an error with fetching my mail. How > many of email accounts trying to grab mail are failing now? I bet > thousands, as a self signed certificate is a valid way of encrypting the > traffic. > > Please google, remove this requirement. > > Source: > http://support.google.com/mail/bin/answer.py?hl=en&answer=21291&ctx=gmail#strictSSL Ah, interesting. I first encountered this debate in New York over opportunistic encryption in mail servers via STARTTLS (and the security controls surrounding it). Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] Gmail and SSL
- Forwarded message from Randy - From: Randy Date: Fri, 14 Dec 2012 09:47:03 -0600 To: NANOG list Subject: Gmail and SSL User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Thunderbird/17.0 I'm hoping to reach out to google's gmail engineers with this message, Today I noticed that for the past 3 days, email messages from my personal website's pop3 were not being received into my gmail inbox. Naturally, I figured that my pop3 service was down, but after some checking, every thing was working OK. I then checked gmail settings, and noticed some error. It explained that google is no longer accepting self signed ssl certificates. It claims that this change will "offer[s] a higher level of security to better protect your information". I don't believe that this change offers better security. In fact it is now unsecured - I am unable to use ssl with gmail, I have had to select the plain-text pop3 option. I don't have hundreds of dollars to get my ssl certificates signed, and to top it off, gmail never notified me of an error with fetching my mail. How many of email accounts trying to grab mail are failing now? I bet thousands, as a self signed certificate is a valid way of encrypting the traffic. Please google, remove this requirement. Source: http://support.google.com/mail/bin/answer.py?hl=en&answer=21291&ctx=gmail#strictSSL - End forwarded message - -- Eugen* Leitl http://leitl.org";>leitl http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography