Wow, the security features Chrome used to nullify the attack were just implemented in June. I wonder if that was a reaction to another incident like this, or if it was just good foresight?
They ship one of the Big 4 browsers and run the Internet's most popular mail server (and thus biggest TLS target). They're uniquely poised to do things like this.
> In addition in Chromium 13, only a very small subset of CAs have the authority to vouch for Gmail (and the Google Accounts login page). This can protect against recent incidents[1][2] where a CA has its authority abused, and generally protects against the proliferation of signing authority.
This isn't the first time something like this has happened. I don't know if they did it in response to any one particular incident, but they have every reason in the world to implement something like that.
