Text archives Help


Re: [projectvrm] Minimum viable VRM web site or service


Chronological Thread 
  • From: Andy Jennings < >
  • To: Brian Behlendorf < >
  • Cc: ProjectVRM list < >
  • Subject: Re: [projectvrm] Minimum viable VRM web site or service
  • Date: Thu, 15 Jan 2015 14:00:41 -0700


On Thu, Jan 15, 2015 at 12:30 PM, Brian Behlendorf < " target="_blank"> > wrote:
On Thu, 15 Jan 2015, Andy Jennings wrote:
Since Verizon sells me the phone and sends me numerous "security updates" which I install unquestioningly, what's to prevent them from installing a "Verizon MITM" certificate authority and MITM'ing all of my SSL connections, too?  How would I ever know?

 They don't even need to do that.  The default list of CAs in both Firefox and Chrome, as well as in the default list of CAs trusted by Android (see Settings -> Security -> Trusted Credentials), and presumably in the list of CAs for Firefox on Android.... all of those places have multiple CA certificates from Verisign, which VZ can use to issue bogus certificates for HTTPS.


I know their names are similar, but I was not aware of a relationship between Verizon and Verisign.  Is there one?

~ Andy

Archive powered by MHonArc 2.6.19.

§