Re: [projectvrm] Minimum viable VRM web site or service

[Brian Behlendorf < >]

On Thu, 15 Jan 2015, Andy Jennings wrote:
> On Thu, Jan 15, 2015 at 12:30 PM, Brian Behlendorf 
> <
>  >
>  wrote:
>       On Thu, 15 Jan 2015, Andy Jennings wrote:
>             Since Verizon sells me the phone and sends me numerous "security 
> updates" which I install unquestioningly, what's to prevent them from installing a 
> "Verizon
>             MITM" certificate authority and MITM'ing all of my SSL 
> connections, too?  How would I ever know?
>
>
>       They don't even need to do that.  The default list of CAs in both Firefox and 
> Chrome, as well as in the default list of CAs trusted by Android (see Settings 
> -> Security ->
>       Trusted Credentials), and presumably in the list of CAs for Firefox on 
> Android.... all of those places have multiple CA certificates from Verisign, 
> which VZ can use to
>       issue bogus certificates for HTTPS.
>
> I know their names are similar, but I was not aware of a relationship between 
> Verizon and Verisign.  Is there one?

Gah.  You're right.  Total mistake on my part.  I see no Verizon CAs in 
these browsers.

Brian