[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Certificate authorities was Re: Email encryption, was Re: www.dcglug.org.uk

To: list@xxxxxxxxxxxxx
Subject: Re: [LUG] Certificate authorities was Re: Email encryption, was Re: www.dcglug.org.uk
From: Martijn Grooten <sweetwatergeek@xxxxxxxxx>
Date: Thu, 2 May 2013 10:20:58 +0100
Delivered-to: dclug@xxxxxxxxxxxxxxxxxxxxx
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:mime-version:in-reply-to:references:from:date:message-id :subject:to:content-type; bh=kXe9Lp+ZIzlZ6NhbCLlA0pEKZ7whK7+O3KFJq+DNKqc=; b=M803g/nvn4DwhOKbbbHkZkqROakO0OCH+BM4HwDkEPDlBnNk3zoAxYVISxOof/MJxY iv76mm7k1WVfOziKZQ6GmiR21KVoaVbSSwzmPJ0EGnlj8tEhHDYoklPHVKE8qVu5fzRb KtEynHaD51XEe5/xf8q8Rd1EkV1jOKnjmj1SM2DMvQ6F0H0JoYzXKDf7c+nvYDZL3L2z 9TxW5Khb5e+LGCAOGJq0wemx2Hk/70PH47Foavs6JHvAEWKPCRQcC73cOQFknniKNTcs 76+XOaZ9Pjc0x56gjhhrXDH3DrIrzq6Qb/N/WhL4RqT5NQHMAft3WMCwg4seenfreR3n YJxQ==

On Thu, May 2, 2013 at 9:25 AM, Brad Rogers wrote:
> I didn't mean expired certs.  Sorry if I gave that impression.  Google
> roll out their new certs over a period of weeks, meaning they have two
> certs in use, both valid, both unexpired.  It might not be wrong, per
> se, but it's a dumb idea, IMO.

I'm willing to give Google the benefit of the doubt here, especially
if the do it consistently. I assume they have a good reason for doing
so.

I once saw a presentation by someone who did IT security for a charity
that works in countries where the Interent is neither reliable nor
fast. But because they were sometimes seen as being on the
opposition's side by not-so-friendly governments, downloading updates
and checking certificates was extremely important.

I've also spoken to people who worked with opposition activists
directly in some of these countries. They had similar stories.

I've no idea this is the reason behind Google's policy, but those to
whom this kind of thing really matters tend to have somewhat different
use cases. It's good to keep that in mind.

> Not fully, given their use of two certs at certain times.  It increases
> the possibility of a man in the middle attacker's fake cert being
> accepted as valid, if only out of frustration at having to evaluate
> every cert change and just blindly accepting the new cert as valid, and
> thereby compromising an account.

You make it sound like they change certificates twice a day. 'Normal
users', for whom this kind of thing could indeed be a problem, should
never have to accept a certificate anyway.

> Yahoo accounts are much easier to get into, as evidenced by recent
> events that have affected members of this list.

They are, but I'm still not sure whether this means that they can get
in any Yahoo account, or that they can easily crack a lot of seemingly
random accounts. The latter is pretty useful if you're a spammer but
not if you want to hack into the account of a particular person. And
even if you could hack into any Yahoo account, that's pretty useless
if that person happens to use Gmail.

Martijn.

-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq

Follow-up: Re: [LUG] Certificate authorities was Re: Email encryption, was Re: www.dcglug.org.uk
- From: Brad Rogers

References:
- Re: [LUG] Certificate authorities was Re: Email encryption, was Re: www.dcglug.org.uk
  - From: Simon Waters
- Re: [LUG] Certificate authorities was Re: Email encryption, was Re: www.dcglug.org.uk
  - From: Brad Rogers

Prev by Date: Re: [LUG] WWW turns 20
Next by Date: Re: [LUG] Avatars and advertising
Previous by thread: Re: [LUG] Certificate authorities was Re: Email encryption, was Re: www.dcglug.org.uk
Next by thread: Re: [LUG] Certificate authorities was Re: Email encryption, was Re: www.dcglug.org.uk
Index(es):
- Date
- Thread