Wouldn't help with google though - anybody who tried to fake a google cert would be caught by chrome within a few seconds. There is a lot of value associated with owning a browser. Enhanced security is just one of them.
You speak as if the power of NSLs has a functional limit - it doesn't, which is what makes the entire concept so dangerous.
There's nothing stopping the requirements from being "mint us a certificate according to these specs" and additionally "okay, now pin this certificate in your browser".
How did you get Google into all this? If you're implying that Google owns a search site/Gmail/a browser, know that there are alternatives, which NSA's target could be using. A fake certificate from a trusted US CA can MITM any connection to almost any website from almost any browser.
Wouldn't help with google though - anybody who tried to fake a google cert would be caught by chrome within a few seconds. There is a lot of value associated with owning a browser. Enhanced security is just one of them.
You speak as if the power of NSLs has a functional limit - it doesn't, which is what makes the entire concept so dangerous.
There's nothing stopping the requirements from being "mint us a certificate according to these specs" and additionally "okay, now pin this certificate in your browser".
You might want to read up on what an NSL actually is, since you and the GP are clearly very confused.
5 replies →
I'm now curious. Explain to me how an NSL fits into the scenario you're implying.
That would be stupid. Google is a US company. NSA has NSLs. Mission accomplished. No certs involved.
How did you get Google into all this? If you're implying that Google owns a search site/Gmail/a browser, know that there are alternatives, which NSA's target could be using. A fake certificate from a trusted US CA can MITM any connection to almost any website from almost any browser.
That should have been a reply to the sibling comment, where it was implied this would be a strategy against Google.