Daniel Eran Dilger
Random header image... Refresh for more!

Why Google’s GMail SSL Doesn’t Really Protect Users From Spoofing

chrome SSL error report
Daniel Eran Dilger
Pundits have insisted that SSL email in MobileMe would prevent users from being hijacked to a different domain by elite hackers. However, both Gmail and MobileMe have presented enough spurious Vista UAC-like certificate warnings to users (not to mention other web sites and plugins) that nobody pays any attention anymore. Users will simply click it and forget it, turning Google’s SSL Gmail feature into a false sense of security.
.
This is probably not the site you are looking for!

Google’s new Chrome browser complains to users trying to access Gmail that they’re being redirected to mail.google.com, warning, “this may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of gmail.com You should not proceed.”

It offers two choices to the users quaking in fear under their desk: “Proceed anyway and ”Back to safety.“ Who writes this stuff, the Fear Bureau of the Department of Homeland Security? In any case, it’s about as useful as having grandma take her shoes off and walk through the million dollar poof machine.

The problem with all of this spurious wolf-crying certificate security panic that that users who are forced to live in a constant state of fear won’t have any reaction to real problems anymore. Security comes from education, not from being frequently scared by false alarms. Users who are presented with understandable explanations of how things work can then be aware of the relative risk involved, and can behave appropriately.

That’s why Apple should be telling users how MobileMe actually works and what limitations it has in encryption, rather than just putting it all under SSL and providing a false sense of security punctuated by a steady din of false alarms. This also cuts through the layer of hyperventilating panic asserted by masterful headline link baiters trying to describe MobileMe as being woefully dangerous and problematic.

Is Apple’s MobileMe Secure?

MobileMe identity crisis.

That’s not to say Apple hasn’t delivered its own unnecessary warnings. Users of .Mac received a similar error message from Mail at the transition to MobileMe. The warning complains of an invalid security certificate because of a host name mismatch. While not worded in the same high fear panic of Chrome, Apple does warn that this could put ”your confidential information at risk.“

200807101443

Even the Democrats recently sprang a scare warning recently. The Democratic National Convention website required a combination of Silverlight and Java plugin installations just to allow viewing of speakers’ videos, with nary a hint that viewers could just as well watch them from YouTube without bothering with two plugins and the accompanying security warning they flashed up:

Pasted Graphic-19

With users being hit by meaningless certificate warnings at a regular clip, would the users who are likely to be scammed by a man in the middle attack benefit from the browser throwing up an extra warning for them to click through without reading? Those trusting explicitly in SSL to do their thinking for them have come to a sad realization. The only way to protect yourself is to be aware of the relative dangers in what you’re doing. SSL is only one element in that, and is fallible.

As Barack Obama said about ”fulfilling America’s promise,“ web security, ”will require more than just money. It will require a renewed sense of responsibility from each of us.“ There is no easy fix for complex problems. Turning SSL into a jingo reason to fervently declare a populist war on MobileMe while ignoring the facts and the responsibility of users to know how to proactively safeguard themselves is just the kind of talk that confuses people rather than helping them navigate the web safely. What users should be told is how to manage their risk, not who to conveniently scapegoat.

Did you like this article? Let me know. Comment here, in the Forum, or email me with your ideas.

Like reading RoughlyDrafted? Share articles with your friends, link from your blog, and subscribe to my podcast (oh wait, I have to fix that first). It’s also cool to submit my articles to Digg, Reddit, or Slashdot where more people will see them. Consider making a small donation supporting this site. Thanks!

  • David Dennis

    This is nothing personal, though. Those admittedly paranoid warnings have been around for a long time and don’t do anything different now that they did a decade ago.

    I doubt that one in 100 people could tell you what a certificate really is and why it exists. The problem with the paranoid warning is as Dan says – nobody understands them in the first place and so nobody knows anything but to click “go ahead”.

    So let’s try to remedy this, although Dan’s readers are probably the last people who need to know.

    The certificate does two things: Provide keys that allow privacy between computers, and identify the host computer to the client. So if the “apple.com” certificate matches the “apple.com” server name, you know you’re really talking to “apple.com”.

    If there is a mismatch, then, such as between “gmail.com” and “mail.google.com”, the browser thinks mail.google.com might be a scam site using gmail’s certificate.

    Google really should fix that problem by calling all its mail servers gmail.com . That would work and not cause anyone any pain.

    The same is true of MobileMe – as long as there is a me.com certificate and the servers are using it, mobileme users won’t get annoying messages either.

    The real question is how you know mail.google.com is really google. If it is, then you can safely ignore the message and move on. If me.com refers to mac.com’s server, since you know me.com is owned by the same people, you can safely ignore the message too.

    I think the problem is that most people really don’t understand the messages, and don’t want to read them.

    Unfortunately, the first way past this is simply to read any message on your screen carefully. Dan is correct in saying that the frequency with which you see these messages on legitimate hosts makes the protection pretty much useless, since it discourages people from reading these messages, which they are disinclined to do anyway.

    D

  • liveformusic

    Love the articles Dan. However, please leave politics to more qualified individuals.

  • gus2000

    I can’t click that “Trust” button fast enough. But that’s mostly because I understand the issues, and can tell (generally!) if I’m about to be pwned.

    I’m not sure why the browser would even complain about “mail.google.com” if it already trusts “google.com”, since the former is a subdomain of the latter. If I can’t trust the subdomain, then the main domain holder should probably not be my Secret Squirrel.

  • djspiewak

    Contrary to popular belief, the most important reason to use SSL is not authentication (to fight spoofing) but encryption. To put it a different way, if you’re accessing data over pure http://, then your data is flying back and forth completely in the clear. I cannot stress enough how *trivial* it is to intercept such data. In these days of wireless internet and public hotspots under every park bench, “the tubes” are less secure than they have ever been. If you access your email over http:// over a wireless that is not WPA2 encrypted, then you better be willing to let the whole world read that email, because that’s exactly what you’re allowing.

    I have no illusions that switching on https:// for Gmail makes me any less vulnerable to DNS poisoning, but I *am* confident that it fulfills its primary purpose: securing my data from prying eyes while in-transit (e.g. man-in-the-middle).

  • http://stevekudelko.com Steve Kudelko

    Hi Dan,

    Completely unrelated to the article, but I noticed that your Twitter feed isn’t updated when you post new blog articles anymore. I don’t know if you got rid of that feature, or if it’s just broken… so if it’s broken, just a heads up.

    Keep up the great writing. Your site is my favorite tech-oriented blog on the Internet.

    – Steve

  • Realtosh

    danieleran,

    Many posters have made clear that you’ve got a great technology blog here. It’s you’re blog and you’re free to do as you please but throwing politics into the mix seems to upset a lot of people. I can’t be bothered to read that half the readers feel that you’re providing a biased view of politics and the other half seems happy by your political rants.

    I can’t see how a 45 minute youtube video of the Democratic Acceptance Speech belongs in an article about Google email and SSL security. I watched the speech live as I watched his opponents acceptance speech. It is important for me to educate myself prior to making my decision. I’ve even gone to an Obama rally just a few miles from here. But I won’t give you my political conclusions from my research of the candidates because I don’t feel that it belongs here. I do recommend that anyone who hasn’t seen both the VP and Pres Acceptance speeches of both parties should listen to all four candidates and make a choice and please go vote Nov 4th.

    Daniel, if you feel that you should write about politics, than please give those article proper headlines and put it in a political section on your blog. I’m sure you’d get a following for your politics as well.

    Just don’t shove it in our faces in an article about Google. You sometimes write in circles, but as long as you stick with technology, than people are more accepting. When your rambles drift into politics, than you show your readers that your thought wander quite a bit.

    Stick to tech, or at least put politics in its’ own section.

  • nat

    @ Realtosh,

    I guess Daniel Robot Dilger needs his objectivity meter set back to a safe, non-confrontational, non-thinking rating of zero because some of the robots here can’t handle his drawing of comparisons between our robot world and the scary all encompassing world of the real.

    eR_ror err_Or – coDe #1984: diFFEriNg of opInioNS is prØHIbiTed!¡ ¬∆˙ƒ˙©†®ƒ∂∂®¥†®¥‡°flfi‹fiflfi›‰Í˛π“º†/

  • obiwan

    I blame this problem on the companies, which do not get their certificates right.

    IMHO, the default setting in web browsers should simply be, to not access sites with certificate problems at all. A dialog along the following lines should be displayed:

    “This page cannot be accessed due to the following certificate problems … If you want to access it anyway, go to preferences -> certificate administration and add it manually to the cert store.”

    This would educate companies, to manage their certificates properly, or not to deploy SSL at all.

    @gus2000:
    As far as I know, certificates are usually based on host names and not on domain names, because you WANT end to end encryption and authentication. Not some sort of wildcard security like *.google.com

  • q

    I am using http://www.web.de and ssl is working like it should – without paying money.
    So the fails from Google, Hotmail should be no criterion for Apple. The criterins for Apple shoult be higher as the low grade of the big email services. It is Apple! And also you pay money.

  • http://www.adviespraktijk.info Berend Schotanus

    This is an absolutely beautiful exemple of unexpected outcome with new technology. Well noticed!
    When Google Chrome is about anything, then it is about enabling smooth, fast and safe operation of Web-apps. When you have to name one example to show Web-apps actually work, it should be webmail. So when there would be one showcase app that can prove the power of Chrome it should be Gmail, Google’s own webmail app… Then you get this…

    Auch !!!

    Of course the underlying problem is identity: how can you be sure I am really the one I pretend to be? This problem is much older and more widespread than the Internet. In commercial traffic it is usual that you can check at a Chamber of Commerce who is really the owner of a company, which is quite the same principle. And the world is full of issues with companies and persons who are not who they claim te be in order to enable their criminal activities.

    Still, I think it is humiliating for both Google and Apple that, being big and well trusted companies, they are not able, not even with their own tools, to prove their true identity. It raises the suspicion that they do not give the problem of identity fraud the full attention it deserves.

  • Joel

    Maybe I’m missing something huge here, but why is this a problem…? “this may be caused by a misconfiguration on the server…” — well yes, it is. Its a cert for mail.gmail.com, being used for http://www.gmail.com, and mail.gmail.com doesn’t appear to exist. Isn’t that an example of a misconfigured server…? But anyhow, isn’t Gmail still in beta, and who would trust a beta webmail server with there email…? And isn’t “Chrome” also a beta…? Liable to change before the finished item.

    Having a misconfigured cert for me.com is a bit bad, but I wonder if this isn’t a cache issue since the cert is for akamai.com…? I notice that https://secure.me.com/account/ is correctly configured, and redirects to the main MobileMe auth page. Perhaps https://www.me.com is just using some kind of Akamai default…? So again the warning is justified. It appears to be a configuration problem. Best email Steve to get it fixed pronto.

    And I’m completely confused how the American Democrat Party ties into all this. A very confusing article, and appears to be slightly under-researched, which isn’t usually the case for this website…

  • gus2000

    Daniel, how dare you post your own thoughts in your own blog, particularly when some people don’t like them. It’s people like you who are ruining teh internets for everybody.

    @obiwan
    The issue is the warning from the browser. Being redirected from “google.com” to “mail.google.com” is very different than being redirected to “ugotpwned.cc”, and the warning to the user should be in proportion to the risk.

    @Berend Schotanus
    If I’m not me, then who the hell am I?

  • obiwan

    @gus2000

    Technically there is no difference. The hostname stored in the certificate does not match the hostname, the certificate was retrieved from. Therefore the host is not successfuly authenticated. Which is the main goal of SSL (besides the encryption of all subsequently exchanged data).

    To have the browser decide, if it presents you a warning about this fact or silently proceed (based on the similarity of the hostnames), would lead the whole concept ad absurdum.

    The main concern about SSL in this article is, that the browser makes it too easy for the end user to ignore such warnings, by just clicking them away. I fully agree to that. Now, if you allow the browser to even omit these warnings completely under some circumstances, thats even worse.

    There is no excuse for any company, operating an SSL website, to not keep their certificates valid and up to date.

  • gus2000

    I disagree 100% and stand by my previous comments.

    However, I do agree that companies demanding our trust should keep their !@#%^!@$# certificates current and accurate.

  • http://www.adviespraktijk.info Berend Schotanus

    @gus2000
    “If I’m not me, then who the hell am I?”

    Great thought! Ehm, what was your name?

  • http://www.menk.com/blog/ menk

    Dan

    Lose the liberal swill. No-one reads your excellent technical analysis to get to a video of a man whose tax and business policies will signlehandedly turn America into a protectionist second rate business climate. I understand you are from CA where liberalism is a poison stuffed into the soul of it’s residents daily but get over it and focus on technology.

  • nat

    @ menk,

    You do realize you’ve undermined your own point by throwing your politics into this public forum, right? The difference between you and Dan is more than political, though you demonstrated holding some anti-American sentiments trying to discourage his right to speak his mind on…his website.

    eR_ror err_Or – coDe #1984: diFFEriNg of opInioNS is prØHIbiTed!¡ ¬∆˙ƒ˙©†®ƒ∂∂®¥†®¥‡°flfi‹fiflfi›‰Í˛π“º†/

    havE a NI_nI_nI_ce DaaaAaAaaaay

  • http://www.roughlydrafted.com danieleran

    @”Contrary to popular belief, the most important reason to use SSL is not authentication (to fight spoofing) but encryption”

    The comments weren’t intended to correct popular belief, but to address the criticism that I encountered when pointing out that SSL is not a security panacea. After encryption, which is an obvious benefit, critics marched out authentication, man-in-the-middle attacks, and DNS poisoning as reasons why MobileMe failed their security baseline.

    What I’m pointing out is that attaching a buzzword solution is not a security solution if that buzzword fails to work as expected. Throwing up panicked warnings is not the same as addressing problems.

    That in itself warrants a comparison with US politics, where the NeoCon extremist right has pursued a policy of domestic terrorism to counter a threat that is less likely to occur than the pain it adds. Obama’s comment on solving that issue through education rather than more DHS big government spending is therefore quite relevant.

    Also, this isn’t a public forum, it’s my website. There’s comments below what I write because I’m not afraid to hear criticism or correction from readers. So I welcome critique, but if you have a bone to pick, please provide more meat than just insisting that wide topics are taboo and must never be mentioned.

    Politics is social engineering, and the decisions and tradeoffs and marketing involved are all very similar to the world of tech.

    @ Joel “Maybe I’m missing something huge here, but why is this a problem…?”

    Google’s issue was that Chrome was not “aware” of the domains in use by the Gmail service, but most importantly, that it presented a domain mismatch that highlights the fragility of using SSL for authentication. If you call your web hosts various different things, you will present a high alert warning identical to a real attack, creating panic that waters out the point of SSL warnings.

    In Apple’s case, it actually changed its domain for .Mac users. Anyone subscribing to MobileMe wouldn’t see this, only .Mac users who realized they were being redirected from mac.com to me.com

    So while you try to spin things by saying essentially that ‘GMail is in beta and can’t be expected to be configured correctly’ and ‘MobileMe is full of problems,’ the truth is that Google failed to consider the consequences of providing a gmail cert for (apparently) google.com/gmail and redirecting users to mail.google.com, added to the fact that Chrome threw up a warning in error.

    Apple did not misconfigure its web services at all. The cert warning was only presented to Mail users who had set up .Mac mail using the .Mac server names. Apple changed these to me.com, so while both work, earlier setups present a fairly straightforward warning that makes sense. It has nothing to do with Apple’s MobileMe web site and Akamai caching.

    And one again: the point is that SSL can only provide security warnings when things appear wrong. Since there are lots of opportunities for things to appear wrong among few actual threats, this creates a fear cloud that does little to address the problem for actual users, and instead just complicates things.

    Should Apple add additional SSL encryption to MobileMe? That’s not the issue here, and there may be better alternatives from a performance standpoint. The real question is: would having added SSL as pundits demanded have prevented real security problems in the way they insisted (an argument that revolved around authentication), or would it have mostly just slowed things down while offering little effective security related to authentication?

  • nat

    @ Daniel,

    Didn’t mean to imply public forum in that sense in my earlier response to those asking you to separate politics from tech. I was referring to your blog’s comments system (note: I don’t really consider this site a “blog”).

    Like at AppleInsider, every editor’s article has an associated forum thread for questions, which are viewable to any reader. Hope that makes sense, but it’s obvious to me now how my description could be easily misunderstood.

  • Joel

    “Google’s issue was that Chrome was not “aware” of the domains in use by the Gmail service, but most importantly, that it presented a domain mismatch that highlights the fragility of using SSL for authentication. If you call your web hosts various different things, you will present a high alert warning identical to a real attack, creating panic that waters out the point of SSL warnings.”

    Thats because they’re using the wrong cert for the wrong domain. It is little work to generate and implement the correct certs for each domain. Its not a warning identical to real “attack” its just a warning that the website your visiting is misconfigured.

    “So while you try to spin things by saying essentially that ‘GMail is in beta and can’t be expected to be configured correctly’ and ‘MobileMe is full of problems,’ the truth is that Google failed to consider the consequences of providing a gmail cert for (apparently) google.com/gmail and redirecting users to mail.google.com, added to the fact that Chrome threw up a warning in error.”

    All web browsers (including Firefox and Safari) will give the same mismatch warnings. What would you prefer…? That browsers charge on ignoring config errors and the potential security problems it could indicate. Someone has screwed with your dns so that you use https://www.myWebMail.com you get a “self-signed” cert error. Since you don’t want to know about these errors the browser ignores them, And Dr Evil has your mail login details.

    “Apple did not misconfigure its web services at all. The cert warning was only presented to Mail users who had set up .Mac mail using the .Mac server names. Apple changed these to me.com, so while both work, earlier setups present a fairly straightforward warning that makes sense. It has nothing to do with Apple’s MobileMe web site and Akamai caching.”

    I was talking about logging into MobileMe from https://www.me.com. With the above problem it appears the domain wasn’t updated by Apple. Seems sloppy, unprefessional. Yep, its not a huge problem bu gives ammo for pundits who don’t know any better…

    I’m interested in how you can state “Apple did not misconfigure its web services at all” for sure…?

    “And one again: the point is that SSL can only provide security warnings when things appear wrong. Since there are lots of opportunities for things to appear wrong among few actual threats, this creates a fear cloud that does little to address the problem for actual users, and instead just complicates things.”

    So how would a browser know when something is actually wrong, and you’re underattack, compared to a cert misconfuration…? This is why it is a good idea to have the correct certs to your domains. It removes the number of false positives. I’d point out the ssl system shows you when things are going fine by indicating through different coloured address bars and icons that the certs check out.

    “Should Apple add additional SSL encryption to MobileMe? That’s not the issue here, and there may be better alternatives from a performance standpoint. The real question is: would having added SSL as pundits demanded have prevented real security problems in the way they insisted (an argument that revolved around authentication), or would it have mostly just slowed things down while offering little effective security related to authentication?”

    Yep, Email is an inherently insecure communication medium. But when I’m sending and receiving it, I’m more concerned about making sure people around me don’t know the contents of my mails. And an sssl connection locally would prevent that. (ie, ssl to MobileMe.)

  • http://www.roughlydrafted.com danieleran

    @ Joel: > “Thats because they’re using the wrong cert for the wrong domain. It is little work to generate and implement the correct certs for each domain. Its not a warning identical to real “attack” its just a warning that the website your visiting is misconfigured.”

    No I don’t think it’s the wrong cert for the wrong domain, just a limitation of SSL and certificates that makes it problematic to transfer between hosts. Gmail starts the SSL session on one, and then transfers users over to the other resulting in a cert mismatch.

    And the point is that the warning is “identical to a real attack” because it is doing the same thing as an attacker would want to do: move an existing session to a new host.

    So I’m not complaining that SSL warnings are too much to read, I’m pointing out that the warning mechanism isn’t enough to replace education. Users who aren’t paying enough attention to see they’re being redirected to a malicious “paypay.login.com” are not really going to benefit from being told that by an SSL warning, because they don’t see the problem, particularly if they regularly get warnings about safely moving from paypal.com to login.paypal.com for example.

    My critic was arguing that SSL broadly protects users who wouldn’t otherwise know any better, but that’s just wrong, just as wrong as throwing the security burden on users with UAC.

    > “I was talking about logging into MobileMe from https://www.me.com. With the above problem it appears the domain wasn’t updated by Apple. Seems sloppy, unprefessional. Yep, its not a huge problem bu gives ammo for pundits who don’t know any better…

    > I’m interested in how you can state “Apple did not misconfigure its web services at all” for sure…?”

    Apple didn’t misconfigure MobileMe and I don’t know where you even got that idea, apart from wishing it to be true. There was never an issue related to cert warnings on MM’s SSL because it never occurred. The only SSL warning (noted above in my article) came from users who had set up SSL certs with .Mac email in Mail, and then tried to connect to me.com. The SSL cert worked as expected, and users got a warning that SSL is designed to give.

    Again, the point is that SSL warnings only help users who already know everything and don’t do anything to protect users who don’t fully understand the rather complex concepts of cert / web security.

    “when I’m sending and receiving it, I’m more concerned about making sure people around me don’t know the contents of my mails And an sssl connection locally would prevent that. (ie, ssl to MobileMe.)”

    Yes, its a nice idea, but you’re failing to get that what I addressed is SSL authentication. Without secure authentication, encryption is meaningless. Do you think you’re automatically secure just because your encrypted information is preventing people at Starbucks from looking at your email text? Well have you considered that, if your SSL authentication security fails and you are redirected without realizing it and get a cert warning you OK without thinking, you’re now going to be setting up and sending “encrypted” data with your attacker, without realizing that you’re totally hosed?

    That’s exactly what I’m addressing. Security is not about tacking on a buzzword. It’s about engineering. You can say you understand the idea of encryption, but if you don’t know who your encryption is going to (authentication), or that a “hacker” can set up encryption with you and decrypt what you send them (authentication failure), then you’re not really in a position to say what you “need,” because you don’t know.

    It’s easy to make uninformed demands. I didn’t write the articles to insist that Apple shouldn’t be criticized, I wrote them to inform users so they aren’t making uninformed demands based on faulty information that only delivers half of the story.

  • http://www.roughlydrafted.com danieleran

    @menk > “Lose the liberal swill. No-one reads your excellent technical analysis to get to a video of a man whose tax and business policies will signlehandedly turn America into a protectionist second rate business climate. I understand you are from CA where liberalism is a poison stuffed into the soul of it’s residents daily but get over it and focus on technology.”

    I think your opinion would have more weight if you actually articulated it rationally. Obama’s tax policy would dial things back to the days of Clinton, which fostered the dotcom boom and served as the longest peacetime expansion in US history. Hardly a “second rate business climate.”

    As for California, you are aware we have a republican governor, right? And that when the candidates needed to find a big evangelical fundamentalist church, they went to SoCal, which is only slightly less knuckle dragging and slow thinkin’ than most of Middle America.

    And if you were thinking specifically about SF, let me assure you that the only “poison stuffed into the soul of its residents daily” comes from the City’s conservative newspapers, which I assure you are all republican shill rags.

    And speaking of which, not even Fox News is buying McCain’s tax policy. It reported:

    “The crowds roar with approval when Obama and Biden describe their plans for a middle class tax cut and boo loudly at statistics showing how McCain’s continuation of the Bush tax cuts favor the wealthy. Of course, these are partisan Obama crowds. But it would be unwise for anyone seriously backing McCain to dismiss their full-throated roars for Obama-Biden on an issue that historically has favored the GOP nominee. […]

    Add to this the mounting evidence that McCain’s TV commercials assailing Obama’s tax policy contain serious distortions, if not out-right lies.”

    When Fox calls McCain’s voice on Obama’s tax policy “serious distortions” and “out-right lies,” it makes it hard to see your viewpoint as being anything more than hysterics from tunnel-red vision due to propagandist head trauma. Maybe lay off the tube.

  • Realtosh

    I was hoping that my comment stating that “daniel has every right to write about whatever topics he wishes on his own website” would somehow prevent many others to complain about daniel injecting politics into a perfectly good tech blog.

    Unfortunately, part of the discussion in this comments section degenerated into the very kind of squabbling that I was hoping to avoid, but that usually happens with mention of politics on this site.

    We have a great country with an armed forces, who go to fight for our freedom wherever and whenever they are called. Our troops having been sacrificing their lives to protect Daniel’s right to say as he pleases. That’s one of the great values that we have in our country.

    My comment was much more pragmatic. It appears that Dan has a point of view that he very much desires to share. I suggest that Dan create a politics section, and add liberally (no pun intended really) to his own politics blog here on RDM.

    This website belongs to Daniel, claims of community participation, mutual benefit & common ownership notwithstanding. he is free to do as he pleases.

    My point still is that since Daniel has a deep-seating desire to share his political views with others (it is an understandable feeling after all), that Daniel should create a political section to complement and rival his tech section. I’m certain that Dan would develop a quite loyal following for his political writing. Many would agree with his views, and others would want to disagree with Dan publicly. I’m sure the discussions would get lively. Not only with it likely be a great read, I get the impression that Dan wold thoroughly enjoy the writing.

    So, instead of suggesting that Dan not express himself ( which doesn’t make sense, and wouldn’t happen anyway), I made the constructive comment that Dan should go whole hog and start a political blog on his website to complement his tech blog.

    Dan would enjoy both blogs. He would get a following at both, with some overlap I imagine. Personally, I don’t enjoy having a perfectly good discussion on a tech topic being interrupted with comments about the propriety of Daniel writing about politics on a tech blog.

    So, I encourage Dan to write about his political opinions. And I encourage Dan to do so in a separate political section. Not only would likely read his political entries, but I would actually appreciate his political writings more.

    Anyway. Back to tech. Thanks for indulging my words. Isn’t freedom such a beautiful thing.

  • obiwan

    @daniel

    “No I don’t think it’s the wrong cert for the wrong domain, just a limitation of SSL and certificates that makes it problematic to transfer between hosts. Gmail starts the SSL session on one, and then transfers users over to the other resulting in a cert mismatch.”

    No, this is not a limitation in SSL. USUALLY a certificate is bound to a certain host (IP address). If they are not able to implement this correctly (by using gateways,load balancers, etc..), they could use multi-domain or wildcard certificates.

    In any case, the end user (or the end users browser) should not be burdened with sorting these problems out. If a company cannot get SSL right (without any warnings presented to the end user), it should not use it at all.

  • Pingback: On Message with Ben Gross » Blog Archive » New and noteworthy in messaging security for 10/3/08()