[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On Thu, May 2, 2013 at 9:25 AM, Brad Rogers wrote: > I didn't mean expired certs. Sorry if I gave that impression. Google > roll out their new certs over a period of weeks, meaning they have two > certs in use, both valid, both unexpired. It might not be wrong, per > se, but it's a dumb idea, IMO. I'm willing to give Google the benefit of the doubt here, especially if the do it consistently. I assume they have a good reason for doing so. I once saw a presentation by someone who did IT security for a charity that works in countries where the Interent is neither reliable nor fast. But because they were sometimes seen as being on the opposition's side by not-so-friendly governments, downloading updates and checking certificates was extremely important. I've also spoken to people who worked with opposition activists directly in some of these countries. They had similar stories. I've no idea this is the reason behind Google's policy, but those to whom this kind of thing really matters tend to have somewhat different use cases. It's good to keep that in mind. > Not fully, given their use of two certs at certain times. It increases > the possibility of a man in the middle attacker's fake cert being > accepted as valid, if only out of frustration at having to evaluate > every cert change and just blindly accepting the new cert as valid, and > thereby compromising an account. You make it sound like they change certificates twice a day. 'Normal users', for whom this kind of thing could indeed be a problem, should never have to accept a certificate anyway. > Yahoo accounts are much easier to get into, as evidenced by recent > events that have affected members of this list. They are, but I'm still not sure whether this means that they can get in any Yahoo account, or that they can easily crack a lot of seemingly random accounts. The latter is pretty useful if you're a spammer but not if you want to hack into the account of a particular person. And even if you could hack into any Yahoo account, that's pretty useless if that person happens to use Gmail. Martijn. -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq