This email, right here? This is Exhibit 1 in my "not all the tradeoffs of outsourcing your $SERVICE are visible or trivial" list. Thanks.
Cheers, -- jra ----- Original Message ----- > From: "Maxim Khitrov" <m...@mxcrypt.com> > To: "Damian Menscher" <dam...@google.com> > Cc: nanog@nanog.org > Sent: Thursday, January 3, 2013 9:01:09 AM > Subject: Re: Gmail and SSL > On Thu, Jan 3, 2013 at 12:14 AM, Damian Menscher <dam...@google.com> > wrote: > > Back on topic: encryption without knowing who you're talking to is > > worse > > than useless (hence no self-signed certs which provide a false sense > > of > > security), and there are usability difficulties with exposing strong > > security to the average user (asking users to generate and upload a > > self-signed cert would be a customer-support disaster, not to > > mention all > > the outages that would occur when those certs expired). Real-world > > security is all about finding a reasonable balance and adapting to > > the > > current threats. > > The most recent change to POP3 mail retrieval over SSL is not a > reasonable balance. My organization uses Google Apps for mail hosting, > but a number of users also have us.army.mil accounts. They used to > pull mail from their .mil account into Google Apps via POP3. Army > servers do not allow unencrypted connections and their root > certificates are not part of the Mozilla Root CA list (and, as you can > guess, I have no control over their servers). > > Google didn't just block the use of self-signed certs; you broke > communication with all servers using perfectly legitimate PKIs that > are not part of the Mozilla Root CA list. Thus, instead of > "self-signed certs = false sense of security," your argument is really > "not on some arbitrary root CA list = false sense of security," which > is absolute nonsense. > > I talked to Google Apps support a few weeks ago, sent them a link to > this discussion, but all they could do is file a feature request. > IMHO, this change should never have been allowed to go into production > until there is an interface for uploading our own root certificates. > Of course, any root (i.e. self-signed) certificate can be used by the > POP3 server directly, so this would also solve the problem for people > trying to use self-signed certs not part of any PKI. > > Finally, "asking users to generate and upload a self-signed cert would > be a customer-support disaster," so you just block their access > completely? Anyone who doesn't know how to generate and upload a > certificate would probably avoid encryption altogether, don't you > think? And as for "outages that would occur when those certs expired," > what do you think people in my organization are dealing with right > now? Only an expired cert can be renewed or replaced, whereas our > access has been blocked and there is nothing we can do about it. > > - Max -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274