nanog mailing list archives
Re: Gmail and SSL
From: Christopher Morrow <morrowc.lists () gmail com>
Date: Wed, 2 Jan 2013 15:24:03 -0500
On Wed, Jan 2, 2013 at 2:36 PM, William Herrin <bill () herrin us> wrote:
On Wed, Jan 2, 2013 at 1:39 PM, Christopher Morrow <morrowc.lists () gmail com> wrote:goodness-scale (goodness to the left) signed > self-signed > unsignedHi Chris, Self-signed and unsigned are identical. The "goodness" scale is: Encrypted & Verified (signed) > Encrypted Unsigned (or self-signed, same difference) > Unencrypted but physically protected > UnprotectedI don't think there's much disagreement about that... the sticky wicket though is 'how much better is 'signed' vs 'self-signed' ? and I think the feeling is that:I don't see how "feeling" plays into it. Communications using an unverified public key are trivially vulnerable to a man-in-the-middle attack where the connection is decrypted, captured in its unencrypted form and then undetectably re-encrypted with a different key. Communications using a key signed by a trusted third party suffer such attacks only with extraordinary difficulty on the part of the attacker. It's purely a technical matter. The information you're trying to protect is either sensitive enough that this risk is unacceptable or it isn't. That's purely a question for the information owner. No one else's opinion matters for squat.
I think we're talking past eachother :( I also think we're mostly saying the same thing... I think though that the 'a question for the information owner' is great, except that I doubt most of them are equipped with enough information to make the judgement themselves. -chris
Current thread:
- Re: Gmail and SSL, (continued)
- Re: Gmail and SSL Damian Menscher (Jan 02)
- Re: Gmail and SSL Valdis . Kletnieks (Jan 02)
- Re: Gmail and SSL Michael Thomas (Jan 03)
- Re: Gmail and SSL Maxim Khitrov (Jan 03)
- Re: Gmail and SSL Jimmy Hess (Jan 03)
- Re: Gmail and SSL Peter Kristolaitis (Jan 03)
- Re: Gmail and SSL Jay Ashworth (Jan 04)
- Re: Gmail and SSL Matthias Leisi (Jan 03)
- Re: Gmail and SSL Steven Bellovin (Jan 03)
- Re: Gmail and SSL Kyle Creyts (Jan 03)
- Re: Gmail and SSL Christopher Morrow (Jan 02)
- Re: Gmail and SSL William Herrin (Jan 02)