Re: [Fed-Talk] Mail.app ignores the "Verify Certificate" dialog?
Re: [Fed-Talk] Mail.app ignores the "Verify Certificate" dialog?
- Subject: Re: [Fed-Talk] Mail.app ignores the "Verify Certificate" dialog?
- From: Joel Esler <email@hidden>
- Date: Thu, 04 Mar 2010 10:32:37 -0500
You are at a hotel? Did you sign in via the webpage before you tried
to send email?
Marriotts intercept all traffic until you agree or pay or whatever.
That's probably why the certificate doesn't match.
--
Joel Esler
Sent from my iPhone
On Mar 4, 2010, at 9:12 AM, "Miller, Timothy J." <email@hidden>
wrote:
Thinking about it more, the 'password failed' message was probably
generic; i.e., the connection was dropped because of your (proper)
refusal to explicitly approve trust, and the return code to the
application was simply misinterpreted (or more likely not
discriminated--meaning the app takes *any* failure to complete the
connection as an authentication failure).
-- Tim
-----Original Message-----
From: fed-talk-bounces+tmiller=email@hidden [mailto:fed-
talk-bounces+tmiller=email@hidden] On Behalf Of Dan
Morrison
Sent: Wednesday, March 03, 2010 11:31 PM
To: Fed Talk
Subject: [Fed-Talk] Mail.app ignores the "Verify Certificate" dialog?
This isn't 100% Fed related, but I thought it would interest folks on
this list.
I'm staying in a hotel, and when I try to have Mail.app connect to
smtp.google.com to send an email, I get the attached (does this list
allow attachments?) dialog warning me that the certificate for
smtp.google.com is a self-signed root cert from
mail10.wildflower.net.
I am told I can click "Connect" to "connect to the server anyway", or
click "Cancel", which presumably drops the connection. When I click
cancel, I then (after a few seconds) get a dialog telling me that the
server "smtp.gmail.com" has rejected my password, and asking me to
re-
enter it. I am taking this to mean that even though I told
Mail.app NOT
to connect to the server, it went ahead and sent my password anyway,
potentially providing an adversary with my password.
I changed my Google Apps password just in case (and did not enter the
new one in Mail.app), but this behavior seems to be very wrong.
What is
the point of warning me about an untrusted cert if it connects
against
my will anyway? Incidentally, the hotel is in Suffolk, VA.
Thoughts?
Dan
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden