Timeline for Gmail X.509 certificate chain
Current License: CC BY-SA 3.0
7 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Apr 13, 2017 at 12:13 | history | edited | CommunityBot | replaced http://serverfault.com/ with https://serverfault.com/ | |
| Mar 28, 2017 at 19:43 | history | edited | dave_thompson_085 | CC BY-SA 3.0 | added 184 characters in body |
| Mar 17, 2017 at 10:46 | history | edited | CommunityBot | replaced http://security.stackexchange.com/ with https://security.stackexchange.com/ | |
| Jul 8, 2015 at 0:47 | comment | added | dave_thompson_085 | @scarecrow a relier trusts a (PKIX) cert chain if it ends at a root (or anchor) in the relier's truststore. If you create your own root cert and give it the same name as GeoTrust (or any other established CA), it won't have the same key, so it won't be the same cert that systems have in their truststore, and it won't be trusted. See security.stackexchange.com/questions/56389/… -- which actually uses gmail as the example! | |
| Jul 5, 2015 at 11:13 | history | edited | StackzOfZtuff | CC BY-SA 3.0 | + line break (fixes list item markup) |
| Jul 4, 2015 at 19:08 | comment | added | scarecrow | Don't you think this makes it very difficult for ordinary users to verify? When you have an email provider constantly sending different certs, and the user doesn't know the intricacies of trust chains, surely this leaves the door wide open for MITM to send fake cert chains? I would like to test this, If I were to create my own root cert in open ssl and call it GeoTrust and then use it to sign a cert called google and then use it to sign a cert called gmail. Who would know that chain was fake ? | |
| Jul 4, 2015 at 12:34 | history | answered | dave_thompson_085 | CC BY-SA 3.0 |