RE: [Fed-Talk] Mail.app ignores the "Verify Certificate" dialog?
RE: [Fed-Talk] Mail.app ignores the "Verify Certificate" dialog?
- Subject: RE: [Fed-Talk] Mail.app ignores the "Verify Certificate" dialog?
- From: "Miller, Timothy J." <email@hidden>
- Date: Thu, 4 Mar 2010 09:12:42 -0500
- Acceptlanguage: en-US
- Thread-topic: [Fed-Talk] Mail.app ignores the "Verify Certificate" dialog?
Thinking about it more, the 'password failed' message was probably generic; i.e., the connection was dropped because of your (proper) refusal to explicitly approve trust, and the return code to the application was simply misinterpreted (or more likely not discriminated--meaning the app takes *any* failure to complete the connection as an authentication failure).
-- Tim
>-----Original Message-----
>From: fed-talk-bounces+tmiller=email@hidden [mailto:fed-
>talk-bounces+tmiller=email@hidden] On Behalf Of Dan
>Morrison
>Sent: Wednesday, March 03, 2010 11:31 PM
>To: Fed Talk
>Subject: [Fed-Talk] Mail.app ignores the "Verify Certificate" dialog?
>
>This isn't 100% Fed related, but I thought it would interest folks on
>this list.
>
>I'm staying in a hotel, and when I try to have Mail.app connect to
>smtp.google.com to send an email, I get the attached (does this list
>allow attachments?) dialog warning me that the certificate for
>smtp.google.com is a self-signed root cert from mail10.wildflower.net.
>
>I am told I can click "Connect" to "connect to the server anyway", or
>click "Cancel", which presumably drops the connection. When I click
>cancel, I then (after a few seconds) get a dialog telling me that the
>server "smtp.gmail.com" has rejected my password, and asking me to re-
>enter it. I am taking this to mean that even though I told Mail.app NOT
>to connect to the server, it went ahead and sent my password anyway,
>potentially providing an adversary with my password.
>
>I changed my Google Apps password just in case (and did not enter the
>new one in Mail.app), but this behavior seems to be very wrong. What is
>the point of warning me about an untrusted cert if it connects against
>my will anyway? Incidentally, the hotel is in Suffolk, VA.
>
>Thoughts?
>
>Dan
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden