It appears something Google allowed to happen in 2008 has happened
again:
# openssl s_client -starttls smtp -connect smtp.gmail.com:587
CONNECTED(0003)
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust
On Sat, Apr 04, 2015 at 07:43:52PM -, John Levine wrote:
I get a cert good through Dec 31.
Yeah, seems to be fixed now.
Vurt:~ job$ echo QUIT | openssl s_client -verify 6 -connect smtp.gmail.com:465
-showcerts | openssl x509 -noout -dates
verify depth is 6
depth=2 /C=US/O=GeoTrust
I get a cert good through Dec 31.
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4993746626803195625 (0x454d5a195ce8dee9)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=Google Inc, CN=Google Internet Authority G2
Validity
Not
, January 3, 2013 9:01:09 AM
Subject: Re: Gmail and SSL
On Thu, Jan 3, 2013 at 12:14 AM, Damian Menscher dam...@google.com
wrote:
Back on topic: encryption without knowing who you're talking to is
worse
than useless (hence no self-signed certs which provide a false sense
of
security
On 01/02/2013 09:14 PM, Damian Menscher wrote:
Back on topic: encryption without knowing who you're talking to is worse
than useless (hence no self-signed certs which provide a false sense of
security),
In fact, it's very useful -- what do you think the initial diffie-hellman
exchanges are
On Thu, Jan 3, 2013 at 12:14 AM, Damian Menscher dam...@google.com wrote:
Back on topic: encryption without knowing who you're talking to is worse
than useless (hence no self-signed certs which provide a false sense of
security), and there are usability difficulties with exposing strong
On Thu, Jan 3, 2013 at 4:59 AM, Damian Menscher dam...@google.com wrote:
While I'm writing, I'll also point out that the Diginotar hack which came
up in this discussion as an example of why CAs can't be trusted was
discovered due to a feature of Google's Chrome browser when a cert was
On Jan 3, 2013, at 3:52 PM, Matthias Leisi matth...@leisi.net wrote:
On Thu, Jan 3, 2013 at 4:59 AM, Damian Menscher dam...@google.com wrote:
While I'm writing, I'll also point out that the Diginotar hack which came
up in this discussion as an example of why CAs can't be trusted was
other relevant links for this:
http://krebsonsecurity.com/2013/01/turkish-govt-enabled-phishers-to-spoof-google/
http://technet.microsoft.com/en-us/security/advisory/2798897
On Thu, Jan 3, 2013 at 4:25 PM, Steven Bellovin s...@cs.columbia.edu wrote:
On Jan 3, 2013, at 3:52 PM, Matthias Leisi
Yo All!
Apropos the recent discussions:
Google says that someone was caught trying to use an unauthorized
digital certificate issued in its name in an attempt to impersonate
Google.com for a man-in-the-middle attack.
http://www.wired.com/threatlevel/2013/01/google-fraudulent-certificate/
RGDS
On 1/3/13, Maxim Khitrov m...@mxcrypt.com wrote:
On Thu, Jan 3, 2013 at 12:14 AM, Damian Menscher dam...@google.com wrote:
I talked to Google Apps support a few weeks ago, sent them a link to
this discussion, but all they could do is file a feature request.
I am not sure why this would be
On 1/3/2013 9:08 PM, Jimmy Hess wrote:
I am not sure why this would be classified as a feature request. If it
is impacting you, and you had service before, then is an
Outage/Defect/Bug, full stop. Describing working service for a
previously supported scenario as a feature request would be
On Sun, 30 Dec 2012 19:25:04 -0600, Jimmy Hess said:
I would say those claiming certificates from a public CA provide no
assurance of authentication of server identity greater than that of a
self-signed one would have the burden of proof to show that it is no
less likely for an attempted
On Jan 2, 2013, at 7:53 AM, valdis.kletni...@vt.edu wrote:
On Sun, 30 Dec 2012 19:25:04 -0600, Jimmy Hess said:
I would say those claiming certificates from a public CA provide no
assurance of authentication of server identity greater than that of a
self-signed one would have the burden of
On Sun, Dec 30, 2012 at 10:46 PM, John Levine jo...@iecc.com wrote:
So the only assurance a signed cert provides is that the person who
got the cert has some authority over a name that points to the mail
client
What other assurance are you looking for?
The only point of a signed server
On Wed, Jan 2, 2013 at 1:08 PM, William Herrin b...@herrin.us wrote:
As for Google (and anyone else) it escapes me why you would require a
signed certificate for any connection that you're willing to also
permit completely unencrypted. Encryption stops nearly every purely
raising the bar for
On Wed, Jan 2, 2013 at 1:39 PM, Christopher Morrow
morrowc.li...@gmail.com wrote:
goodness-scale (goodness to the left)
signed self-signed unsigned
Hi Chris,
Self-signed and unsigned are identical. The goodness scale is:
Encrypted Verified (signed) Encrypted Unsigned (or self-signed,
On Wed, Jan 2, 2013 at 11:36 AM, William Herrin b...@herrin.us wrote:
Communications using a key signed by a trusted
third party suffer such attacks only with extraordinary difficulty on
the part of the attacker. It's purely a technical matter.
While I agree with your general characterization
On Wed, Jan 2, 2013 at 2:36 PM, William Herrin b...@herrin.us wrote:
On Wed, Jan 2, 2013 at 1:39 PM, Christopher Morrow
morrowc.li...@gmail.com wrote:
goodness-scale (goodness to the left)
signed self-signed unsigned
Hi Chris,
Self-signed and unsigned are identical. The goodness scale
On Wed, Jan 2, 2013 at 3:10 PM, George Herbert george.herb...@gmail.com wrote:
On Wed, Jan 2, 2013 at 11:36 AM, William Herrin b...@herrin.us wrote:
Communications using a key signed by a trusted
third party suffer such attacks only with extraordinary difficulty on
the part of the attacker.
On Wed, Jan 2, 2013 at 3:24 PM, Christopher Morrow
morrowc.li...@gmail.com wrote:
I think though that the 'a question for the information owner' is
great, except that I doubt most of them are equipped with enough
information to make the judgement themselves.
Much of the evil in the world
Are you, at this moment, able to acquire a falsely signed certificate
for www.herrin.us that my web browser will accept?
Me, no, although I have read credible reports that otherwise reputable SSL
signers have issued MITM certs to governments for their filtering
firewalls.
Regards,
John
On Wed, Jan 2, 2013 at 2:27 PM, William Herrin b...@herrin.us wrote:
On Wed, Jan 2, 2013 at 3:10 PM, George Herbert george.herb...@gmail.com
wrote:
On Wed, Jan 2, 2013 at 11:36 AM, William Herrin b...@herrin.us wrote:
Communications using a key signed by a trusted
third party suffer such
Do you run Cert Patrol (a Firefox extension) in your browser?
yes, but my main browser is chrome (ff does poorly with nine windows and
60+ tabs). there is some sort of pinning, or at least discussion of it.
but it is not clear what is actually provided. and i don't see evidence
of churn
On Jan 2, 2013, at 7:15 PM, Randy Bush ra...@psg.com wrote:
Do you run Cert Patrol (a Firefox extension) in your browser?
yes, but my main browser is chrome (ff does poorly with nine windows and
60+ tabs). there is some sort of pinning, or at least discussion of it.
but it is not clear
On Wed, Jan 2, 2013 at 5:38 PM, John R. Levine jo...@iecc.com wrote:
Are you, at this moment, able to acquire a falsely signed certificate
for www.herrin.us that my web browser will accept?
Me, no, although I have read credible reports that otherwise reputable SSL
signers have issued MITM
On Wed, Jan 2, 2013 at 5:43 PM, George Herbert george.herb...@gmail.com wrote:
If push came to shove and minor legalities were not restraining me, I
recall (without checking) your domain's emails come to your home, and
your DSL or cable line is sniffable, so any of the CA who email URL
Yo William!
On Wed, 2 Jan 2013 19:42:16 -0500
William Herrin b...@herrin.us wrote:
On Wed, Jan 2, 2013 at 5:43 PM, George Herbert
george.herb...@gmail.com wrote:
If push came to shove and minor legalities were not restraining me,
I recall (without checking) your domain's emails come to
On Jan 2, 2013 7:36 PM, William Herrin b...@herrin.us wrote:
Me, no, although I have read credible reports that otherwise reputable
SSL
signers have issued MITM certs to governments for their filtering
firewalls.
That's not the case join is referring to.
The governments in question are
Steven Bellovin writes:
The only Chrome browser I have lying around right now is on a Nexus 7 tablet;
I don't see any way to list the pinned certs from the browser. There is a
list at http://www.chromium.org/administrators/policy-list-3, and while I
don't know how current it is you'll notice
On Wed, Jan 02, 2013 at 07:35:49PM -0500, William Herrin wrote:
A reputable SSL signer would have to get outed just once issuing a
government a resigning cert and they'd be kicked out of all the
browsers. They'd be awfully easy to catch.
I believe Honest Achmed said it best:
In any case by
On Wed, Jan 2, 2013 at 8:03 PM, Christopher Morrow
christopher.mor...@gmail.com wrote:
On Jan 2, 2013 7:36 PM, William Herrin b...@herrin.us wrote:
Me, no, although I have read credible reports that otherwise reputable
SSL
signers have issued MITM certs to governments for their
On Wed, Jan 2, 2013 at 8:39 PM, Christopher Morrow
christopher.mor...@gmail.com wrote:
On Wed, Jan 2, 2013 at 8:03 PM, Christopher Morrow
christopher.mor...@gmail.com wrote:
On Jan 2, 2013 7:36 PM, William Herrin b...@herrin.us wrote:
A reputable SSL signer would have to get outed just once
In resp, On 1/2/13, valdis.kletni...@vt.edu valdis.kletni...@vt.edu wrote:
There's a bit more trust (not much, but a bit) to be attached to a
cert signed by a reputable CA over and above that you should attach
to a self-signed cert you've never seen before.
[snip]
Absolutely. A certificate
george.herb...@gmail.com
Cc: John Levine jo...@iecc.com,nanog@nanog.org
Subject: Re: Gmail and SSL
On Jan 2, 2013, at 8:25 PM, Seth David Schoen sch...@loyalty.org wrote:
Steven Bellovin writes:
The only Chrome browser I have lying around right now is on a Nexus 7 tablet;
I don't see any way to list the pinned certs from the browser. There is a
list at
William Herrin wrote:
The governments in question are watching for exfiltration and they
largely use a less risky approach: they issue their own root key and,
That is a trusted first party.
Masataka Ohta
On 1/2/13, Steven Bellovin s...@cs.columbia.edu wrote:
[snip]
It's ashame they've stuck with a hardcoded list of Acceptable CAs
for certain certificates; that would be very difficult to update. The
major banks, Facebook, Hotmail, etc, possibly have not made a
promise to anyone, that all their
On Wed, Jan 2, 2013 at 8:51 PM, William Herrin b...@herrin.us wrote:
secure cryptosystems. Has the EFF's SSL Observatory project detected
even one case of a fake certificate under Etilisat's trust chain since
then?
it's possible that the observatory won't see these in the wild, if the
On Wed, 02 Jan 2013 12:10:55 -0800, George Herbert said:
Google is setting a higher bar here, which may be sufficient to deter
a lot of bots and script kiddies for the next few years, but it's not
enough against nation-state or serious professional level attacks.
To be fair though - if I was
On Wed, Jan 2, 2013 at 7:31 PM, valdis.kletni...@vt.edu wrote:
On Wed, 02 Jan 2013 12:10:55 -0800, George Herbert said:
Google is setting a higher bar here, which may be sufficient to deter
a lot of bots and script kiddies for the next few years, but it's not
enough against nation-state or
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 1/2/2013 10:31 PM, valdis.kletni...@vt.edu wrote:
On Wed, 02 Jan 2013 12:10:55 -0800, George Herbert said:
Google is setting a higher bar here, which may be sufficient to deter
a lot of bots and script kiddies for the next few years, but it's
On Wed, Jan 2, 2013 at 7:31 PM, valdis.kletni...@vt.edu wrote:
On Wed, 02 Jan 2013 12:10:55 -0800, George Herbert said:
Google is setting a higher bar here, which may be sufficient to deter
a lot of bots and script kiddies for the next few years, but it's not
enough against nation-state
On Wed, 02 Jan 2013 19:59:35 -0800, Damian Menscher said:
Aurora compromised at least 20 other companies, failed at its assumed
objective of seeing user data, and Google was the only organization to
notice, let alone have the guts to expose the attack [0]. And you're going
to hold that
Michael Painter wrote:
Damian Menscher wrote:
[Full disclosure: I work at Google, though the opinions stated below are
mine alone.]
snip Good luck finding another provider that
enables SSL by default [1], offers 2-factor authentication [2], warns you
when you're being targeted by
On Wed, Jan 2, 2013 at 8:52 PM, valdis.kletni...@vt.edu wrote:
On Wed, 02 Jan 2013 19:59:35 -0800, Damian Menscher said:
Aurora compromised at least 20 other companies, failed at its assumed
objective of seeing user data, and Google was the only organization to
notice, let alone have the
On Wed, 02 Jan 2013 21:14:31 -0800, Damian Menscher said:
We're off-topic, but that decision needs to be weighed against the
alternatives. If your alternative is running your own mailserver at home,
then your risks are:
Let's face it - if a nation-state has you in the crosshairs, digital
or
On Mon, Dec 31, 2012 at 9:07 AM, John R. Levine jo...@iecc.com wrote:
Also keep in mind that this particular argument is about the certs used to
submit mail to Gmail, which requires a separate SMTP AUTH within the SSL
session before you can send any mail. This isn't belt and suspenders, this
@nanog.org
Subject: Re: Gmail and SSL
On Tue, Jan 1, 2013 at 2:04 PM, Keith Medcalf kmedc...@dessus.com wrote:
Perhaps Googles other harvesters and the government agents they sell or
give user credentials to, don't work against privately (not under the
goverment thumb) encryption keys without the surveillance state expending
On Mon, Dec 31, 2012 at 6:07 AM, John R. Levine jo...@iecc.com wrote:
Really, this isn't hard to understand. Current SSL signers do no more
than tie the identity of the cert to the identity of a domain name. Anyone
who's been following the endless crisis at ICANN about bogus WHOIS knows
that
On Tue, Jan 01, 2013 at 12:04:16PM -0700, Keith Medcalf wrote:
Perhaps the cheapest way to solve this is to apply thumbscrews and have
google require the use of co-option freindly keying material by their
victims errr customers errr users.
ITYM product.
- Matt
On 1 January 2013 19:04, Keith Medcalf kmedc...@dessus.com wrote:
Perhaps Googles other harvesters and the government agents they sell or
give user credentials to, don't work against privately (not under the
goverment thumb) encryption keys without the surveillance state expending
brokedness
in the UI might be a good idea as well.
Sent from Samsung Mobile
Original message
From: Scott Howard sc...@doc.net.au
Date:
To: John R. Levine jo...@iecc.com
Cc: nanog@nanog.org
Subject: Re: Gmail and SSL
On Sun, Dec 30, 2012 at 10:26:36PM -0600, Jimmy Hess wrote:
These CA's will normally require interactions be done through a web
site, there will often be captchas or other methods involved in
applying for a certificate that are difficult to automate.
You're kidding, right? Captchas have been
However, the procedures required to exploit these weaknesses are
slightly more complicated than simply producing a self-signed
certificate on the fly for man in the middle use -- they require
planning, a waiting period, because CAs do not typically issue
immediately.
Hmmn, I guess I was
:
To: Randy na...@afxr.net
Cc: NANOG list nanog@nanog.org
Subject: Re: Gmail and SSL
On Sun, Dec 30, 2012 at 3:30 PM, Keith Medcalf kmedc...@dessus.com wrote:
Your assertion that using bought certificates provides any security benefit
whatsoever assumes facts not in evidence.
Given recent failures in this space I would posit that the requirement to use
certificates
and false assumtions if they want to do so.
Sent from Samsung Mobile
Original message
From: Christopher Morrow morrowc.li...@gmail.com
Date:
To: kmedcalf kmedc...@dessus.com
Cc: mysi...@gmail.com,nanog@nanog.org
Subject: Re: Gmail and SSL
On 12/30/12, Keith Medcalf kmedc...@dessus.com wrote:
Your assertion that using bought certificates provides any security
benefit whatsoever assumes facts not in evidence.
I would say those claiming certificates from a public CA provide no
assurance of authentication of server identity greater
I would say those claiming certificates from a public CA provide no
assurance of authentication of server identity greater than that of a
self-signed one would have the burden of proof to show that it is no
less likely for an attempted forger to be able to obtain a false
bought certificate from a
On 12/30/12, John Levine jo...@iecc.com wrote:
Do you ever buy SSL certificates? For cheap certificates ($9
Geotrust, $8 Comodo, free Startcom, all accepted by Gmail), the
entirety of the identity validation is to send an email message to an
address associated with the domain, typically one
On 12/29/2012 7:41 PM, Mark - Syminet wrote:
On Dec 14, 2012, at 7:52 AM, Peter Kristolaitis alte...@alter3d.ca wrote:
On 12/14/2012 10:47 AM, Randy wrote:
I don't have hundreds of dollars to get my ssl certificates signed
You can get single-host certificates issued for free from StartSSL,
ssl with gmail, I have had to select
the plain-text pop3 option.
I don't have hundreds of dollars to get my ssl certificates signed, and
to top it off, gmail never notified me of an error with fetching my
--
-JH
On Fri, 14 Dec 2012, Christopher Morrow wrote:
On Fri, Dec 14, 2012 at 6:03 PM, Peter Kristolaitis alte...@alter3d.ca
wrote:
In my experience, free/cheap certs not working on some clients is, in
99.9% of cases, a misconfiguration error where the server isn't presenting
the cert chain
better security. In fact it is
now unsecured - I am unable to use ssl with gmail, I have had to select
the plain-text pop3 option.
I don't have hundreds of dollars to get my ssl certificates signed, and
to top it off, gmail never notified me of an error with fetching my
mail. How many of email
to better protect your information.
I don't believe that this change offers better security. In fact it is
now unsecured - I am unable to use ssl with gmail, I have had to select
the plain-text pop3 option.
I don't have hundreds of dollars to get my ssl certificates signed, and
to top it off
On 12/14/2012 10:47 AM, Randy wrote:
I don't have hundreds of dollars to get my ssl certificates signed
You can get single-host certificates issued for free from StartSSL, or
for very cheaply (under $10) from low-cost providers like CheapSSL.com.
I've never had a problem having my StartSSL
http://www.startssl.com/
Their certs are free and, from what I hear, are accepted by Google.
Seconded. I was a hold-out for a long time on personal stuff - I trust me, I'm
not paying someone else to trust me - but StartSSL makes a lot of the pain go
away with minimal effort.
Regards,
Tim.
On Fri, Dec 14, 2012 at 10:52 AM, Peter Kristolaitis alte...@alter3d.ca wrote:
On 12/14/2012 10:47 AM, Randy wrote:
I don't have hundreds of dollars to get my ssl certificates signed
You can get single-host certificates issued for free from StartSSL, or for
very cheaply (under $10) from
On Fri, Dec 14, 2012 at 11:21 AM, Tim Franklin t...@pelican.org wrote:
http://www.startssl.com/
Their certs are free and, from what I hear, are accepted by Google.
Seconded. I was a hold-out for a long time on personal stuff - I trust me,
I'm not paying someone else to trust me - but
On Fri, Dec 14, 2012 at 11:36:08AM -0500, Christopher Morrow wrote:
Seconded. I was a hold-out for a long time on personal stuff - I trust me,
I'm not paying someone else to trust me - but StartSSL makes a lot of the
pain go away with minimal effort.
because paying for random
On Fri, Dec 14, 2012 at 12:04 PM, Eugen Leitl eu...@leitl.org wrote:
On Fri, Dec 14, 2012 at 11:36:08AM -0500, Christopher Morrow wrote:
Seconded. I was a hold-out for a long time on personal stuff - I trust
me, I'm not paying someone else to trust me - but StartSSL makes a lot of
the
[mailto:alte...@alter3d.ca]
Sent: Friday, December 14, 2012 7:53 AM
To: nanog@nanog.org
Subject: Re: Gmail and SSL
On 12/14/2012 10:47 AM, Randy wrote:
I don't have hundreds of dollars to get my ssl certificates signed
You can get single-host certificates issued for free from StartSSL, or
for very
black
california state university, long beach
-Original Message-
From: Peter Kristolaitis [mailto:alte...@alter3d.ca]
Sent: Friday, December 14, 2012 7:53 AM
To: nanog@nanog.org
Subject: Re: Gmail and SSL
On 12/14/2012 10:47 AM, Randy wrote:
I don't have hundreds of dollars to get my
On Fri, Dec 14, 2012 at 6:03 PM, Peter Kristolaitis alte...@alter3d.ca wrote:
In my experience, free/cheap certs not working on some clients is, in
99.9% of cases, a misconfiguration error where the server isn't presenting
the cert chain properly (usually omitting the intermediate cert), which
76 matches
Mail list logo
