[Fed-Talk] Mail.app ignores the "Verify Certificate" dialog?
[Fed-Talk] Mail.app ignores the "Verify Certificate" dialog?
- Subject: [Fed-Talk] Mail.app ignores the "Verify Certificate" dialog?
- From: Dan Morrison <email@hidden>
- Date: Wed, 3 Mar 2010 22:31:01 -0700
This isn't 100% Fed related, but I thought it would interest folks on this list.
I'm staying in a hotel, and when I try to have Mail.app connect to
smtp.google.com to send an email, I get the attached (does this list allow attachments?) dialog warning me that the certificate for
smtp.google.com is a self-signed root cert from
mail10.wildflower.net.
I am told I can click "Connect" to "connect to the server anyway", or click "Cancel", which presumably drops the connection. When I click cancel, I then (after a few seconds) get a dialog telling me that the server "
smtp.gmail.com" has rejected my password, and asking me to re-enter it. I am taking this to mean that even though I told Mail.app NOT to connect to the server, it went ahead and sent my password anyway, potentially providing an adversary with my password.
I changed my Google Apps password just in case (and did not enter the new one in Mail.app), but this behavior seems to be very wrong. What is the point of warning me about an untrusted cert if it connects against my will anyway? Incidentally, the hotel is in Suffolk, VA.
Thoughts?
Dan
Attachment:
bad gmail.jpg
Description: JPEG image
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden