Re: [Fed-Talk] Mail.app ignores the "Verify Certificate" dialog?
Re: [Fed-Talk] Mail.app ignores the "Verify Certificate" dialog?
- Subject: Re: [Fed-Talk] Mail.app ignores the "Verify Certificate" dialog?
- From: Dan Morrison <email@hidden>
- Date: Thu, 4 Mar 2010 08:45:52 -0700
I did sign in via the hotel's webpage, but apparently that didn't do
the trick (although all other webpages were working). Interestingly
(and maybe I'm missing something here) the traceroute to
imap.gmail.com and smtp.gmail.com appeared basically the same (I could
sign into IMAP just fine), even though the cert was bad. I expected
to see traceroute show me a different hop path to the server (at least
after I hit the hotel's proxy) if it was indeed being redirected.
Even if Tim is correct and the Apple dialog is a default, it is a
dangerous design because it prompts the user to re-enter their
password without any second warning of the bad cert. What is the
proper channel to report a bug to Apple?
Thanks,
Dan
On Mar 4, 2010, at 0832 , Joel Esler wrote:
You are at a hotel? Did you sign in via the webpage before you
tried to send email?
Marriotts intercept all traffic until you agree or pay or whatever.
That's probably why the certificate doesn't match.
--
Joel Esler
Sent from my iPhone
On Mar 4, 2010, at 9:12 AM, "Miller, Timothy J." <email@hidden>
wrote:
Thinking about it more, the 'password failed' message was probably
generic; i.e., the connection was dropped because of your (proper)
refusal to explicitly approve trust, and the return code to the
application was simply misinterpreted (or more likely not
discriminated--meaning the app takes *any* failure to complete the
connection as an authentication failure).
-- Tim
-----Original Message-----
From: fed-talk-bounces+tmiller=email@hidden
[mailto:fed-
talk-bounces+tmiller=email@hidden] On Behalf Of Dan
Morrison
Sent: Wednesday, March 03, 2010 11:31 PM
To: Fed Talk
Subject: [Fed-Talk] Mail.app ignores the "Verify Certificate"
dialog?
This isn't 100% Fed related, but I thought it would interest folks
on
this list.
I'm staying in a hotel, and when I try to have Mail.app connect to
smtp.google.com to send an email, I get the attached (does this list
allow attachments?) dialog warning me that the certificate for
smtp.google.com is a self-signed root cert from
mail10.wildflower.net.
I am told I can click "Connect" to "connect to the server anyway",
or
click "Cancel", which presumably drops the connection. When I click
cancel, I then (after a few seconds) get a dialog telling me that
the
server "smtp.gmail.com" has rejected my password, and asking me to
re-
enter it. I am taking this to mean that even though I told
Mail.app NOT
to connect to the server, it went ahead and sent my password anyway,
potentially providing an adversary with my password.
I changed my Google Apps password just in case (and did not enter
the
new one in Mail.app), but this behavior seems to be very wrong.
What is
the point of warning me about an untrusted cert if it connects
against
my will anyway? Incidentally, the hotel is in Suffolk, VA.
Thoughts?
Dan
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
Attachment:
PGP.sig
Description: This is a digitally signed message part
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden