[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Is This MITM Attack to Gmail's SSL ?

To: Ferenc Kovacs <tyra3l@xxxxxxxxx>
Subject: Re: [Full-disclosure] Is This MITM Attack to Gmail's SSL ?
From: coderman <coderman@xxxxxxxxx>
Date: Mon, 29 Aug 2011 16:35:31 -0700

On Mon, Aug 29, 2011 at 3:38 PM, Ferenc Kovacs <tyra3l@xxxxxxxxx> wrote:
> http://www.google.co.uk/support/forum/p/gmail/thread?tid=2da6158b094b225a&hl=en
>
> any thoughts?

sure:
- PRUNE YOUR ROOTS
- public key pinning == useful [0]
- perspectives == useful [1]
- google's cert catalog == useful [2]
- ssl observatory == useful [3]
- combine multiple above for best positioning

tech details http://pastebin.com/ff7Yg663

0. http://www.imperialviolet.org/2011/05/04/pinning.html
1. http://perspectives-project.org/
2. 
http://googleonlinesecurity.blogspot.com/2011/04/improving-ssl-certificate-security.html
3. http://www.eff.org/observatory

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Is This MITM Attack to Gmail's SSL ?
  - From: coderman

References:
- [Full-disclosure] Is This MITM Attack to Gmail's SSL ?
  - From: Ferenc Kovacs

Prev by Date: Re: [Full-disclosure] Advisory: Range header DoS vulnerability Apache HTTPD 1.3/2.x (CVE-2011-3192)
Next by Date: Re: [Full-disclosure] Is This MITM Attack to Gmail's SSL ?
Previous by thread: [Full-disclosure] Is This MITM Attack to Gmail's SSL ?
Next by thread: Re: [Full-disclosure] Is This MITM Attack to Gmail's SSL ?
Index(es):
- Date
- Thread