Re: Gmail and SSL

[Jay Ashworth <jra () baylink com>]

This email, right here?  This is Exhibit 1 in my "not all the tradeoffs 
of outsourcing your $SERVICE are visible or trivial" list.  Thanks.

Cheers,
-- jra

----- Original Message -----
> From: "Maxim Khitrov" <max () mxcrypt com>
> To: "Damian Menscher" <damian () google com>
> Cc: nanog () nanog org
> Sent: Thursday, January 3, 2013 9:01:09 AM
> Subject: Re: Gmail and SSL
> On Thu, Jan 3, 2013 at 12:14 AM, Damian Menscher <damian () google com>
> wrote:
> > Back on topic: encryption without knowing who you're talking to is
> > worse
> > than useless (hence no self-signed certs which provide a false sense
> > of
> > security), and there are usability difficulties with exposing strong
> > security to the average user (asking users to generate and upload a
> > self-signed cert would be a customer-support disaster, not to
> > mention all
> > the outages that would occur when those certs expired). Real-world
> > security is all about finding a reasonable balance and adapting to
> > the
> > current threats.
>
> The most recent change to POP3 mail retrieval over SSL is not a
> reasonable balance. My organization uses Google Apps for mail hosting,
> but a number of users also have us.army.mil accounts. They used to
> pull mail from their .mil account into Google Apps via POP3. Army
> servers do not allow unencrypted connections and their root
> certificates are not part of the Mozilla Root CA list (and, as you can
> guess, I have no control over their servers).
>
> Google didn't just block the use of self-signed certs; you broke
> communication with all servers using perfectly legitimate PKIs that
> are not part of the Mozilla Root CA list. Thus, instead of
> "self-signed certs = false sense of security," your argument is really
> "not on some arbitrary root CA list = false sense of security," which
> is absolute nonsense.
>
> I talked to Google Apps support a few weeks ago, sent them a link to
> this discussion, but all they could do is file a feature request.
> IMHO, this change should never have been allowed to go into production
> until there is an interface for uploading our own root certificates.
> Of course, any root (i.e. self-signed) certificate can be used by the
> POP3 server directly, so this would also solve the problem for people
> trying to use self-signed certs not part of any PKI.
>
> Finally, "asking users to generate and upload a self-signed cert would
> be a customer-support disaster," so you just block their access
> completely? Anyone who doesn't know how to generate and upload a
> certificate would probably avoid encryption altogether, don't you
> think? And as for "outages that would occur when those certs expired,"
> what do you think people in my organization are dealing with right
> now? Only an expired cert can be renewed or replaced, whereas our
> access has been blocked and there is nothing we can do about it.
>
> - Max

-- 
Jay R. Ashworth                  Baylink                       jra () baylink com
Designer                     The Things I Think                       RFC 2100
Ashworth & Associates     http://baylink.pitas.com         2000 Land Rover DII
St Petersburg FL USA               #natog                      +1 727 647 1274