RE: [Fed-Talk] Mail.app ignores the "Verify Certificate" dialog?
RE: [Fed-Talk] Mail.app ignores the "Verify Certificate" dialog?
- Subject: RE: [Fed-Talk] Mail.app ignores the "Verify Certificate" dialog?
- From: "Miller, Timothy J." <email@hidden>
- Date: Thu, 4 Mar 2010 10:53:12 -0500
- Acceptlanguage: en-US
- Thread-topic: [Fed-Talk] Mail.app ignores the "Verify Certificate" dialog?
The other possibility is they're doing SSL inspection at a transparent network proxy. This requires them to play man-in-the-middle and would result in a cert trust error like you saw.
Bug reports go to http://bugreporter.apple.com
-- Tim
>-----Original Message-----
>From: Dan Morrison [mailto:email@hidden] On Behalf Of Dan
>Morrison
>Sent: Thursday, March 04, 2010 9:46 AM
>To: Joel Esler
>Cc: Miller, Timothy J.; Fed Talk
>Subject: Re: [Fed-Talk] Mail.app ignores the "Verify Certificate"
>dialog?
>
>I did sign in via the hotel's webpage, but apparently that didn't do
>the trick (although all other webpages were working). Interestingly
>(and maybe I'm missing something here) the traceroute to
>imap.gmail.com and smtp.gmail.com appeared basically the same (I could
>sign into IMAP just fine), even though the cert was bad. I expected
>to see traceroute show me a different hop path to the server (at least
>after I hit the hotel's proxy) if it was indeed being redirected.
>
>Even if Tim is correct and the Apple dialog is a default, it is a
>dangerous design because it prompts the user to re-enter their
>password without any second warning of the bad cert. What is the
>proper channel to report a bug to Apple?
>
>Thanks,
>Dan
>
>On Mar 4, 2010, at 0832 , Joel Esler wrote:
>
>> You are at a hotel? Did you sign in via the webpage before you
>> tried to send email?
>>
>> Marriotts intercept all traffic until you agree or pay or whatever.
>>
>> That's probably why the certificate doesn't match.
>>
>> --
>> Joel Esler
>> Sent from my iPhone
>>
>> On Mar 4, 2010, at 9:12 AM, "Miller, Timothy J." <email@hidden>
>> wrote:
>>
>>> Thinking about it more, the 'password failed' message was probably
>>> generic; i.e., the connection was dropped because of your (proper)
>>> refusal to explicitly approve trust, and the return code to the
>>> application was simply misinterpreted (or more likely not
>>> discriminated--meaning the app takes *any* failure to complete the
>>> connection as an authentication failure).
>>>
>>> -- Tim
>>>
>>>
>>>> -----Original Message-----
>>>> From: fed-talk-bounces+tmiller=email@hidden
>>>> [mailto:fed-
>>>> talk-bounces+tmiller=email@hidden] On Behalf Of Dan
>>>> Morrison
>>>> Sent: Wednesday, March 03, 2010 11:31 PM
>>>> To: Fed Talk
>>>> Subject: [Fed-Talk] Mail.app ignores the "Verify Certificate"
>>>> dialog?
>>>>
>>>> This isn't 100% Fed related, but I thought it would interest folks
>>>> on
>>>> this list.
>>>>
>>>> I'm staying in a hotel, and when I try to have Mail.app connect to
>>>> smtp.google.com to send an email, I get the attached (does this list
>>>> allow attachments?) dialog warning me that the certificate for
>>>> smtp.google.com is a self-signed root cert from
>>>> mail10.wildflower.net.
>>>>
>>>> I am told I can click "Connect" to "connect to the server anyway",
>>>> or
>>>> click "Cancel", which presumably drops the connection. When I click
>>>> cancel, I then (after a few seconds) get a dialog telling me that
>>>> the
>>>> server "smtp.gmail.com" has rejected my password, and asking me to
>>>> re-
>>>> enter it. I am taking this to mean that even though I told
>>>> Mail.app NOT
>>>> to connect to the server, it went ahead and sent my password anyway,
>>>> potentially providing an adversary with my password.
>>>>
>>>> I changed my Google Apps password just in case (and did not enter
>>>> the
>>>> new one in Mail.app), but this behavior seems to be very wrong.
>>>> What is
>>>> the point of warning me about an untrusted cert if it connects
>>>> against
>>>> my will anyway? Incidentally, the hotel is in Suffolk, VA.
>>>>
>>>> Thoughts?
>>>>
>>>> Dan
>>>
>>> _______________________________________________
>>> Do not post admin requests to the list. They will be ignored.
>>> Fed-talk mailing list (email@hidden)
>>> Help/Unsubscribe/Update your Subscription:
>>>
>>> This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden