so did the gmail ssl cert change today for anyone else, or did someone just MitM me?
i've been in the habbit of checking the hash on the site for a while now. i think kaminsky talked about doing things to help remember hashes a few years back at blackhat/dc (i think he proposed using phases derived from the hash value, which are easier to remember, but i'm not sure). i know others have talked about hash visualization... i dug around for a hash visualization plugin for firefox, and turned up nothing, and am kicking around building one (w/ all my free time ;)...
anyway, it's tough to remember those long hash strings, so i was using the weaker method of just remembering a few values and their placement in the hash string. much to my surprise this morning, the values i was expecting were no longer there...
sooooo, now what? i hit cancel... then i went back and examined the cert, and the cert chain. but wtf am i lookin for? if they can gen a fake gmail cert, they can gen a fake cert chain too, right? so anyway, i went ahead and logged in after a few min of indecision. i need to rotate my passwords anyway ;)
but now i'm left wondering what is the right thing to do when a cert changes... how do you verify that it is legit, and not a MitM? guess i've got some reading to do...
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment