Gmail and SSL

Perhaps Googles other "harvesters" and the government agents they sell or give user credentials to, don't work against privately (not under the goverment thumb) encryption keys without the surveillance state expending significantly more resources.

Perhaps the cheapest way to solve this is to apply thumbscrews and have google require the use of co-option freindly keying material by their victims errr customers errr users.

you lost me in conspiracy theories, can you rephrase?

ITYM "product".

- Matt

There is no difference in encryption terms between a certificate
signed by an external CA and a certificate signed by itself, in either
case only parties with the private key (which you should never send to
the CA) can decrypt messages encrypted with that public key.

Some CAs will offer to generate a key pair for you instead of managing
your own keys, however that merely demonstrates that those CAs (and
anyone who uses that service) don't know how the certificates they are
issuing are meant to work. If anyone other than the party directly
identified by the public key ever gets a copy of the private key then
those keys are no longer secure and the certificate should be revoked
immediately as it no longer has any meaning*.

But if you ignore facts (as most conspiracy theories do) and try to
argue it's part of a conspiracy to intercept data - we're talking
about hop by hop transport encryption not end to end content
encryption, google already have a copy of all the messages going
through their service anyway.

- Mike

* A CA signs to say "we have verified this is google", not "this is
either google or their CA or some other random person, well really we
don't have a clue who it is but someone gave us money to sign here" -
although the latter is probably more accurate in the real world.


Absolutely. A certificate whose fingerprint has personally been
validated by a human, and compared to a SHA1 fingerprint learned
earlier out of band, is to be trusted with a high level of
confidence. It is in a sense may be a more reliable assurance
than a CA signature on a certificate, as long as a strong validation
process was followed -- it is still stronger if BOTH fingerprint
manually validated _and_ signed by a recognized CA.

A problem, however, that can come in when designing software - such as
browsers -- How do you prove the human actually was properly trained,
and followed the correct validation procedure?

If the human doesn't actually have to type the expected SHA1
fingerprint, and there is a way the human can just "click OK"; or
select an option to "disable checking" -- the average human will
likely just spontaneously click that -- not understanding what
fingerprint validation is, and simply "Approve" or "Skip" the
validation process, and mark as trusted, without manually verifying

Therefore: the usefulness of fingerprint validation is often
limited, to situations where the operator is specifically trained to
follow a reasonable validation procedure, and adherence to the
validation procedure is enforced.