If vendors want to withhold detailed notification until a patch is available I don't much care.
However withholding patches until after a "chosen" subset of user community has casually had the opportunity to fix their shit is great for you if your chosen and worse if your everyone else.
Better to announce in advance on such a date at such a time patch of import x shall be released to all concerned... let everyone who cares plan their maintenance windows accordingly.
What's the alternative? Don't go after anyone doing anything illegal, because there might be ways for others to get away with it?
The alternative is simply focus on those actually conducting illegal activities rather than those producing dual-use tools.
I for one think it's a good thing if a potential stalker has to work a bit harder to accomplish their goal than going to the play store and searching "stalk my girlfriend".
Changing a few words in search term does not constitute a serious barrier to entry.
This strategy is untenable in the long term - as battery technology grows better and cheaper thanks to the likes of Tesla, they will eventually drive consumers off-grid entirely with these punishment tactics, losing any chance of making money from them.
First there will need to be a minor revolt against codes requiring electrical service as a condition of human occupancy.
Moral of this story if your going to sell apps intended for nefarious purposes you should advertise only "legitimate" and not illegal uses of said app and demonstrate a legitimate convincing use case.
In the real world it is hard to understand how this translates into good policy or in any way works to improve society.
You can arrest the low hanging fruit of loud mouths yet doing so will cause remaining sellers of functionally equivalent software now and in the future to change descriptions to avoid arrest and buyers to moderate keywords they use to locate desired software.
Nothing is actually changed and being arrested for technicalities does not "send a message" it is an exercise in futility and waste of taxpayer resources.
The industry is too set in its ways and excessive aggregation of power is sustaining a distorted up market.
The hardware guys deserve all the praise for kicking ass while the software guys play games for financial optimization of their entrenched positions.
This bullshit of creating OS builds for every specific hardware target is beyond idiotic. This happens all the time... a year later vendor decided it wasn't worth their time to release any new versions of OS for any price without wholesale replacement of device and things stagnate while customers are placed at unnecessary risk from mounting number of unpatachable exploits.
Intentionally nerfing security levers available to end users for financial gain is morally bankrupt. If there was proper separation of concerns in the market this would never occur.
Allowing carriers to nerf operating system functionality is as unacceptable as allowing your ISP to nerf your computer when you use the Internet yet they are still getting away with it.
Allowing advertising companies to preload their wares on your devices with no viable means of removal by an ordinary person is indefensible. Remember when we spent years bitching about the inability to uninstall IE... now look around...
For a change - Sales and Marketing are right Never EVER hang dirty laundry in public
You might want trusted tech users to see your bug tracker but no one else!
It will scare people who don't understand bug tracking and give your competitors easy shots
Depends on industry. If you operate in a space dominated by clueful customers not having access to accurate revision histories means you have something to hide and makes you look bad.
I can't believe anyone is still paying attention to the drumbeats of marketeers as they masturbate about the future of their dreams.
Dream what you want, think the world is full of clueless suckers all you want... When your shit provides no value, stops working as soon as its pitiful warranty expires or becomes obsolete as it is leaving the store or otherwise annoys the customer for selfish reasons (cloud BS, ads, spying, unnecessary restrictions..etc) people will remember past experiences they had with your company and act accordingly.
The more bitter among us may even recall LG used to be called Goldstar.
I don't care about 57% efficiency I care about lighting that is not gross or otherwise as annoying as heck.
Bright blue leds.. can't stand them around here they end up being disconnected or gouged out in short order.
LED street lights make me cringe every time I drive under them. Say what you will about the yellow spike that are sodium lights they are much easier on the eyes especially at night. Streets are not supposed to resemble stadiums and leds are not more efficient than LPS.
Christmas LED lights are puke-ish.. faint dull sickening flickering half wave monstrosities. I used to love going outside to look at all the nice warm Christmas lights now we drive by these hollow ghosts of years past and it is depressing.
White LEDs in displays have shitty CRI, can't be dimmed at night because PWM flicker would fall below flicker fusion threshold and screening the panel kills contrast ratio.. They can't even achieve sRGB coverage. Other LED based arrangements such as RG-B are however quite good.
Cheap LED screw in light bulbs with white LEDs are sickening... however slightly more expensive version with phosphors are just as good as CFLs without the startup lag.
LED flashlights look like shit but batteries last forever so they get a pass.
OLED displays are unreliable compared with CRT and TFT panels suffering from element failure and CRT erra phosphor burnin.
I don't care about efficiency... I care about quality products I would actually want to purchase that don't compromise and take shortcuts at my expense.
TFA is like announcing the 50% efficient PV cell breakthrough that costs so much nobody but NASA would ever use it... it isn't the point... the breakthrough is in addressing consumer demands and LEDs have a LOOONG way to go in my view.
consider a disk encryption system that uses a hw key that cannot be accessed without !very! exotic chip dissection equipment. The disk contents are protected by that key.
Are any mobile phones shipping with a TPM chip?
The fine print from TPM vendors about all of the attacks they don't protect against is amusing if you have a few minutes to kill.
I can't imagine a scenario by which a non-nerf'd TPM properly protected from side channel attacks would not draw all manner of OFAC unpleasantries especially given there is no market demand.
Well done, authors obviously spent a lot of time on it. Splitting implementation and deployment was refreshing to see.
Fundamental problem is aggregation of power/value is an irresistible beacon of abuse. From criminals to states the more value protected the bigger the effort to coopt the system.
I have two "practical" ideas which might help slightly..
1. Replace CA's with DANE or something like it. We already have global view of naming.. Trust should flow from ownership of names as a standard feature of domain ownership.
While this reduces overlapping CA craziness it just replaces headaches associated with one trust anchor with another... however with non-overlapping view there is a lot more that can be done to distribute trust.
The other problem deployment of DNSSEC without first fixing DNS DDOS amplification is in my view negligent and irresponsible.
2. Use "zero knowledge" authentication protocols in addition to or instead of CAs. I have an account on some device or some service somewhere let my credentials be source of trust to protect my session. This solves the aggregation of power issues of planet wide trust anchors and allows people to secure their shit without having to screw around with certs.
All of the technology to implement this exists... all browser vendors need to do is get off their asses and commit the TLS-SRP patches in their ticket systems.
This is no panacea there are two issues using credentials for trust imposes which cannot be solved.
1. Your 'identity... (e.g. username)' is necessarily transmitted in the clear. While you can play games with reversible transforms or grouping the basis for deriving your identity is transmitted.
2. There is no difference between storing a password and a password hash. Since we are establishing proof of mutual possession servers need to reversibly protect their passwords. Hashes no longer work.
I'm having trouble understanding how "device" encryption is supposed to work or why the FBI cares.
Are people going to be entering strong passwords at startup or are decryption keys going to be stored on the device?
If their going to be kept on device then any TLA who cares will have access to them anyway.
If it is going to be something the user enters on a mobile phone with no keyboard it will be brute forced and any TLA who cares will have access to that data anyway.
Looking at the spiel from Nest, these products pay for themselves through regular use, not through exceptions:
A cheap programmable thermostat pays for itself quicker.
Auto-Schedule makes it easy to create an energy efficient schedule that can help you save up to 20% on your heating and cooling bills. All the Nest Thermostat's features combined can get you even bigger savings
I give a shit about results only seen by a few outliers... honest..
After a year using my @Nest thermostat, I've saved $326.74 / 2,651 kWh over the previous year.
If I were selling a product that really did all the wonderful things claimed I would want the world to know about it by providing credible evidence supporting my assertions. Instead we are treated to a bunch of people saying they saved x, y and z over last year... which is to say the least.. completely worthless.
I want it. Internet connected air con is the greatest thing since sliced bread. I can turn it on ten minutes before I get home
If this does anything your unit is morbidly oversized.
or switch the heating in my car on before I go out and while it is still plugged in to the wall.
Switches are great inventions.
I don't see Leafs or Model Ss getting hacked left, right and centre. Nor my smart TV or air con for that matter. Maybe because I chose good manufacturers who care about security.
Since you're in the security team, could you comment on why Android requires you to set up some sort of lock security just in order to have a VPN configured (even if it's not in use)?
You know what makes even less sense than forcing people to use lock screens even if not saving VPN access credentials?
Having infrastructure with keychain and all of that in place and then not using it in browser and Android email client to secure stored credentials.
Even worse email client cannot be configured to prompt for passwords when checking/sending mail... you *have* to store your password.
But, please, what makes you think that Apple, or even Samsung, aren't doing exactly the same?
I assume they are.
Apple can install stuff on your device when it feels like it. In fact, you have even less control over an Apple devices and its whims.
What does apple have to do with TFA? For the record Apple's actions ignoring factual inaccuracies in your comments are also inexcusable as are Microsofts...etc. It doesn't matter who's doing it.
So, your concern is really about modern devices, not anything to do with the meat of the story - encryption
Pointing out encryption is meaningless when you don't have control over your own devices is relevant.
P.S. With Android, you can see the source, and build from clean source, without any Google services whatsoever if you want. People have done it for you. Almost every big-selling Android phone is supported. You can get root access and check everything you like. And then encryption really means something.
Great for the technically inclined, not so great for everyone else.
Just so that I understand google play can install shit on your device when it feels like, google reads all of your email, google further nerfs intentionally nerfed permissions system and just about everything by volume in the app store is spyware designed to sell YOU to the highest bidder.
What does this "datacenter" in TFA actually do? From youtube videos they pointed to some servers with labels like "push email"... the whole rack of SGI's? Spammers?!??
Another section of Apache/MySQL "cluster" and DNS servers with only a 60mbit link...
They have a list of websites hosted on the "datacenter" but this appears to be mostly run of the mill basic business fronts/web presence.
Notice the light patterns on the switch ports all of the activity at time of filming appears to be dominated by broadcast.
An untrusted central authority is better than no security.
Peers have to trust each other to act rationally. Filtering and sanity checking of crap from your downstreams and maintenance of physical links with rational actors whom you trust to act professionally is worth more than central authorities.
That's a *very* strong assertion. In fact, it seems like the sort of thing that the courts would stop, hard. It's essentially extortion. It's absolutely the sort of thing that would send customers screaming... and discouraging everyone around them. I find it hard to believe that any reputable cloud service provider would dare risk their business by doing something like that.
Lost track of number of people who have called in with issues trying to extract data from various providers.
Either they claim they can't do it, provider cut them off and they are screwed or provider feels it necessary to charge a massive fee to extract customers data. Another fine twist is allowing access to data but not in a way it could practically be extracted.
Guessing some of these are cases of you owe us money and we're leveraging whatever we can to force you to pay yet some have specifically mentioned rate hikes and cumulative costs as reason for decision to bail.
You can parse this out till your blue in the face draw whatever lines and labels you think demarcate acceptable behavior from extortion.
Bottom line if you don't insist on full and meaningful access to full datasets your essentially begging the provider to take advantage of you. Expecting they would not seek to maximally leverage their position is not a serious option.
Ehmm. No. TCP is quite special in being byte-oriented. SCTP is message oriented.
By definition a stream is a stream is a stream. Being a stream means you are bound by limits of what you are...a stream. It matters not matter what protocol the stream is implemented over.
A TCP session is HOL'd no different than any individual stream within a given SCTP session.
The only difference is 1:1 correspondence between TCP session and data stream. This is compared with 1:Many between SCTP session and multiple streams within.
While separate SCTP streams can not HOL each other each individual stream is HOL'd.
True. As mentioned in the article and a linked tweet, Google plans to migrate to SHA-256 by the end of 2015. Why it will take them so long is not stated.
I only read Google's announcement and did not follow every link from others before posting.
Hearing this only makes things worse... If Google themselves is not getting their act together until 2016 and concurrently the following is true:
"Chrome 39 (Branch point 26 September 2014) Sites with end-entity (âoeleafâ) certificates that expire on or after 1 January 2017, and which include a SHA-1-based signature as part of the certificate chain, will be treated as âoesecure, but with minor errorsâ.
It is hard to imagine a situation whereby you can avoid everything appearing broken in much the same way everything is known to the state of California to cause cancer.
In the meantime, their certificates only last three months. Probably only NSA and GCHQ could forge a cert in that short a time â" and they don't need to.
What is the point of this?I don't understand the logic here.. how/who does this help?
Google's cert would be useless as the attacker does not have google's private key and path restrictions of preceding prior trust path makes it useless to repurpose as an intermediary.
Nobody is going to waste their time going after one companies SSL cert they are going to go after any vulnerable trust chain and fuck EVERYONE including Google regardless of how often they change their certs.
Slashdot Mirror
If vendors want to withhold detailed notification until a patch is available I don't much care.
However withholding patches until after a "chosen" subset of user community has casually had the opportunity to fix their shit is great for you if your chosen and worse if your everyone else.
Better to announce in advance on such a date at such a time patch of import x shall be released to all concerned... let everyone who cares plan their maintenance windows accordingly.
No idea what TFA is talking about.. Only "decay" I've noticed is caused by people getting suckered into installing malware.
What's the alternative? Don't go after anyone doing anything illegal, because there might be ways for others to get away with it?
The alternative is simply focus on those actually conducting illegal activities rather than those producing dual-use tools.
I for one think it's a good thing if a potential stalker has to work a bit harder to accomplish their goal than going to the play store and searching "stalk my girlfriend".
Changing a few words in search term does not constitute a serious barrier to entry.
This strategy is untenable in the long term - as battery technology grows better and cheaper thanks to the likes of Tesla, they will eventually drive consumers off-grid entirely with these punishment tactics, losing any chance of making money from them.
First there will need to be a minor revolt against codes requiring electrical service as a condition of human occupancy.
Moral of this story if your going to sell apps intended for nefarious purposes you should advertise only "legitimate" and not illegal uses of said app and demonstrate a legitimate convincing use case.
In the real world it is hard to understand how this translates into good policy or in any way works to improve society.
You can arrest the low hanging fruit of loud mouths yet doing so will cause remaining sellers of functionally equivalent software now and in the future to change descriptions to avoid arrest and buyers to moderate keywords they use to locate desired software.
Nothing is actually changed and being arrested for technicalities does not "send a message" it is an exercise in futility and waste of taxpayer resources.
The industry is too set in its ways and excessive aggregation of power is sustaining a distorted up market.
The hardware guys deserve all the praise for kicking ass while the software guys play games for financial optimization of their entrenched positions.
This bullshit of creating OS builds for every specific hardware target is beyond idiotic. This happens all the time... a year later vendor decided it wasn't worth their time to release any new versions of OS for any price without wholesale replacement of device and things stagnate while customers are placed at unnecessary risk from mounting number of unpatachable exploits.
Intentionally nerfing security levers available to end users for financial gain is morally bankrupt. If there was proper separation of concerns in the market this would never occur.
Allowing carriers to nerf operating system functionality is as unacceptable as allowing your ISP to nerf your computer when you use the Internet yet they are still getting away with it.
Allowing advertising companies to preload their wares on your devices with no viable means of removal by an ordinary person is indefensible. Remember when we spent years bitching about the inability to uninstall IE... now look around...
Overwhelming response telling our leaders exactly what we wanted through our only feedback system. And it is blatently IGNORED
I think we might have used the *wrong* feedback system. We sent our feedback to the FCC when it should have gone directly to our representatives.
For a change - Sales and Marketing are right
Never EVER hang dirty laundry in public
You might want trusted tech users to see your bug tracker but no one else!
It will scare people who don't understand bug tracking and give your competitors easy shots
Depends on industry. If you operate in a space dominated by clueful customers not having access to accurate revision histories means you have something to hide and makes you look bad.
I can't believe anyone is still paying attention to the drumbeats of marketeers as they masturbate about the future of their dreams.
Dream what you want, think the world is full of clueless suckers all you want... When your shit provides no value, stops working as soon as its pitiful warranty expires or becomes obsolete as it is leaving the store or otherwise annoys the customer for selfish reasons (cloud BS, ads, spying, unnecessary restrictions..etc) people will remember past experiences they had with your company and act accordingly.
The more bitter among us may even recall LG used to be called Goldstar.
I don't care about 57% efficiency I care about lighting that is not gross or otherwise as annoying as heck.
Bright blue leds.. can't stand them around here they end up being disconnected or gouged out in short order.
LED street lights make me cringe every time I drive under them. Say what you will about the yellow spike that are sodium lights they are much easier on the eyes especially at night. Streets are not supposed to resemble stadiums and leds are not more efficient than LPS.
Christmas LED lights are puke-ish .. faint dull sickening flickering half wave monstrosities. I used to love going outside to look at all the nice warm Christmas lights now we drive by these hollow ghosts of years past and it is depressing.
White LEDs in displays have shitty CRI, can't be dimmed at night because PWM flicker would fall below flicker fusion threshold and screening the panel kills contrast ratio.. They can't even achieve sRGB coverage. Other LED based arrangements such as RG-B are however quite good.
Cheap LED screw in light bulbs with white LEDs are sickening... however slightly more expensive version with phosphors are just as good as CFLs without the startup lag.
LED flashlights look like shit but batteries last forever so they get a pass.
OLED displays are unreliable compared with CRT and TFT panels suffering from element failure and CRT erra phosphor burnin.
I don't care about efficiency... I care about quality products I would actually want to purchase that don't compromise and take shortcuts at my expense.
TFA is like announcing the 50% efficient PV cell breakthrough that costs so much nobody but NASA would ever use it... it isn't the point ... the breakthrough is in addressing consumer demands and LEDs have a LOOONG way to go in my view.
consider a disk encryption system that uses a hw key that cannot be accessed without !very! exotic chip dissection equipment. The disk contents are protected by that key.
Are any mobile phones shipping with a TPM chip?
The fine print from TPM vendors about all of the attacks they don't protect against is amusing if you have a few minutes to kill.
I can't imagine a scenario by which a non-nerf'd TPM properly protected from side channel attacks would not draw all manner of OFAC unpleasantries especially given there is no market demand.
Well done, authors obviously spent a lot of time on it. Splitting implementation and deployment was refreshing to see.
Fundamental problem is aggregation of power/value is an irresistible beacon of abuse. From criminals to states the more value protected the bigger the effort to coopt the system.
I have two "practical" ideas which might help slightly..
1. Replace CA's with DANE or something like it. We already have global view of naming.. Trust should flow from ownership of names as a standard feature of domain ownership.
While this reduces overlapping CA craziness it just replaces headaches associated with one trust anchor with another... however with non-overlapping view there is a lot more that can be done to distribute trust.
The other problem deployment of DNSSEC without first fixing DNS DDOS amplification is in my view negligent and irresponsible.
2. Use "zero knowledge" authentication protocols in addition to or instead of CAs. I have an account on some device or some service somewhere let my credentials be source of trust to protect my session. This solves the aggregation of power issues of planet wide trust anchors and allows people to secure their shit without having to screw around with certs.
All of the technology to implement this exists... all browser vendors need to do is get off their asses and commit the TLS-SRP patches in their ticket systems.
This is no panacea there are two issues using credentials for trust imposes which cannot be solved.
1. Your 'identity ... (e.g. username)' is necessarily transmitted in the clear. While you can play games with reversible transforms or grouping the basis for deriving your identity is transmitted.
2. There is no difference between storing a password and a password hash. Since we are establishing proof of mutual possession servers need to reversibly protect their passwords. Hashes no longer work.
I'm having trouble understanding how "device" encryption is supposed to work or why the FBI cares.
Are people going to be entering strong passwords at startup or are decryption keys going to be stored on the device?
If their going to be kept on device then any TLA who cares will have access to them anyway.
If it is going to be something the user enters on a mobile phone with no keyboard it will be brute forced and any TLA who cares will have access to that data anyway.
If our solar systems water is older than the sun why does my bottle of Fiji expire in a year? :)
Looking at the spiel from Nest, these products pay for themselves through regular use, not through exceptions:
A cheap programmable thermostat pays for itself quicker.
Auto-Schedule makes it easy to create an energy efficient schedule that can help you save up to 20% on your heating and cooling bills. All the Nest Thermostat's features combined can get you even bigger savings
I give a shit about results only seen by a few outliers... honest..
After a year using my @Nest thermostat, I've saved $326.74 / 2,651 kWh over the previous year.
If I were selling a product that really did all the wonderful things claimed I would want the world to know about it by providing credible evidence supporting my assertions. Instead we are treated to a bunch of people saying they saved x, y and z over last year... which is to say the least.. completely worthless.
Patiently awaiting credible evidence...
I want it. Internet connected air con is the greatest thing since sliced bread. I can turn it on ten minutes before I get home
If this does anything your unit is morbidly oversized.
or switch the heating in my car on before I go out and while it is still plugged in to the wall.
Switches are great inventions.
I don't see Leafs or Model Ss getting hacked left, right and centre. Nor my smart TV or air con for that matter. Maybe because I chose good manufacturers who care about security.
I'll assume you just forgot the smiley face.
Since you're in the security team, could you comment on why Android requires you to set up some sort of lock security just in order to have a VPN configured (even if it's not in use)?
You know what makes even less sense than forcing people to use lock screens even if not saving VPN access credentials?
Having infrastructure with keychain and all of that in place and then not using it in browser and Android email client to secure stored credentials.
Even worse email client cannot be configured to prompt for passwords when checking/sending mail... you *have* to store your password.
But, please, what makes you think that Apple, or even Samsung, aren't doing exactly the same?
I assume they are.
Apple can install stuff on your device when it feels like it. In fact, you have even less control over an Apple devices and its whims.
What does apple have to do with TFA? For the record Apple's actions ignoring factual inaccuracies in your comments are also inexcusable as are Microsofts...etc. It doesn't matter who's doing it.
So, your concern is really about modern devices, not anything to do with the meat of the story - encryption
Pointing out encryption is meaningless when you don't have control over your own devices is relevant.
P.S. With Android, you can see the source, and build from clean source, without any Google services whatsoever if you want. People have done it for you. Almost every big-selling Android phone is supported. You can get root access and check everything you like. And then encryption really means something.
Great for the technically inclined, not so great for everyone else.
Just so that I understand google play can install shit on your device when it feels like, google reads all of your email, google further nerfs intentionally nerfed permissions system and just about everything by volume in the app store is spyware designed to sell YOU to the highest bidder.
Relax folks your device is "encrypted" ...LOL..
What does this "datacenter" in TFA actually do? From youtube videos they pointed to some servers with labels like "push email" ... the whole rack of SGI's? Spammers?!??
Another section of Apache/MySQL "cluster" and DNS servers with only a 60mbit link...
They have a list of websites hosted on the "datacenter" but this appears to be mostly run of the mill basic business fronts/web presence.
Notice the light patterns on the switch ports all of the activity at time of filming appears to be dominated by broadcast.
What does it all do?
An untrusted central authority is better than no security.
Peers have to trust each other to act rationally. Filtering and sanity checking of crap from your downstreams and maintenance of physical links with rational actors whom you trust to act professionally is worth more than central authorities.
SanDisk if you are reading this please make a 512GB Micro SD... thanks!!
That's a *very* strong assertion. In fact, it seems like the sort of thing that the courts would stop, hard. It's essentially extortion. It's absolutely the sort of thing that would send customers screaming... and discouraging everyone around them. I find it hard to believe that any reputable cloud service provider would dare risk their business by doing something like that.
Lost track of number of people who have called in with issues trying to extract data from various providers.
Either they claim they can't do it, provider cut them off and they are screwed or provider feels it necessary to charge a massive fee to extract customers data. Another fine twist is allowing access to data but not in a way it could practically be extracted.
Guessing some of these are cases of you owe us money and we're leveraging whatever we can to force you to pay yet some have specifically mentioned rate hikes and cumulative costs as reason for decision to bail.
You can parse this out till your blue in the face draw whatever lines and labels you think demarcate acceptable behavior from extortion.
Bottom line if you don't insist on full and meaningful access to full datasets your essentially begging the provider to take advantage of you. Expecting they would not seek to maximally leverage their position is not a serious option.
Ehmm. No. TCP is quite special in being byte-oriented. SCTP is message oriented.
By definition a stream is a stream is a stream. Being a stream means you are bound by limits of what you are...a stream. It matters not matter what protocol the stream is implemented over.
A TCP session is HOL'd no different than any individual stream within a given SCTP session.
The only difference is 1:1 correspondence between TCP session and data stream.
This is compared with 1:Many between SCTP session and multiple streams within.
While separate SCTP streams can not HOL each other each individual stream is HOL'd.
True. As mentioned in the article and a linked tweet, Google plans to migrate to SHA-256 by the end of 2015. Why it will take them so long is not stated.
I only read Google's announcement and did not follow every link from others before posting.
Hearing this only makes things worse... If Google themselves is not getting their act together until 2016 and concurrently the following is true:
"Chrome 39 (Branch point 26 September 2014)
Sites with end-entity (âoeleafâ) certificates that expire on or after 1 January 2017, and which include a SHA-1-based signature as part of the certificate chain, will be treated as âoesecure, but with minor errorsâ.
It is hard to imagine a situation whereby you can avoid everything appearing broken in much the same way everything is known to the state of California to cause cancer.
In the meantime, their certificates only last three months. Probably only NSA and GCHQ could forge a cert in that short a time â" and they don't need to.
What is the point of this?I don't understand the logic here.. how/who does this help?
Google's cert would be useless as the attacker does not have google's private key and path restrictions of preceding prior trust path makes it useless to repurpose as an intermediary.
Nobody is going to waste their time going after one companies SSL cert they are going to go after any vulnerable trust chain and fuck EVERYONE including Google regardless of how often they change their certs.