RE: [Fed-Talk] Mail.app ignores the "Verify Certificate" dialog?
RE: [Fed-Talk] Mail.app ignores the "Verify Certificate" dialog?
- Subject: RE: [Fed-Talk] Mail.app ignores the "Verify Certificate" dialog?
- From: "Mueller, David S CIV SPAWARSYSCEN-PACIFIC, 55620" <email@hidden>
- Date: Thu, 4 Mar 2010 08:27:08 -0800
- Thread-topic: [Fed-Talk] Mail.app ignores the "Verify Certificate" dialog?
My guess if the traceroute is working is that they're intercepting
outbound SMTP (port 25/465) traffic and redirecting it to their server.
Since traceroute normally uses high-numbered UDP destination ports, it's
not getting redirected. Try using "traceroute -P tcp -p 465
smtp.gmail.com" (or whatever port you have configured for smtp.gmail.com
in Mail.app) and see what happens.
While I understand possible reasons for doing this, it does present a
problem. Services that use SPF (Sender Policy Framework, RFC 4408) in
their spam filter (like Gmail) are more likely to dump your messages
into the spam folder, since mail10.wildflower.net likely isn't listed as
a permitted sender for gmail.com.
I'd suggest sticking with Gmail's web interface (over https of course)
when encountering situations like this.
- David
-----Original Message-----
From: Dan Morrison
Sent: Thursday, March 04, 2010 7:46 AM
To: Joel Esler
Cc: Fed Talk
Subject: Re: [Fed-Talk] Mail.app ignores the "Verify Certificate"
dialog?
I did sign in via the hotel's webpage, but apparently that didn't do
the trick (although all other webpages were working). Interestingly
(and maybe I'm missing something here) the traceroute to
imap.gmail.com and smtp.gmail.com appeared basically the same (I could
sign into IMAP just fine), even though the cert was bad. I expected
to see traceroute show me a different hop path to the server (at least
after I hit the hotel's proxy) if it was indeed being redirected.
Even if Tim is correct and the Apple dialog is a default, it is a
dangerous design because it prompts the user to re-enter their
password without any second warning of the bad cert. What is the
proper channel to report a bug to Apple?
Thanks,
Dan
On Mar 4, 2010, at 0832 , Joel Esler wrote:
> You are at a hotel? Did you sign in via the webpage before you
> tried to send email?
>
> Marriotts intercept all traffic until you agree or pay or whatever.
>
> That's probably why the certificate doesn't match.
>
> --
> Joel Esler
> Sent from my iPhone
>
> On Mar 4, 2010, at 9:12 AM, "Miller, Timothy J." <email@hidden>
> wrote:
>
>> Thinking about it more, the 'password failed' message was probably
>> generic; i.e., the connection was dropped because of your (proper)
>> refusal to explicitly approve trust, and the return code to the
>> application was simply misinterpreted (or more likely not
>> discriminated--meaning the app takes *any* failure to complete the
>> connection as an authentication failure).
>>
>> -- Tim
>>
>>
>>> -----Original Message-----
>>> From: fed-talk-bounces+tmiller=email@hidden
>>> [mailto:fed-
>>> talk-bounces+tmiller=email@hidden] On Behalf Of Dan
>>> Morrison
>>> Sent: Wednesday, March 03, 2010 11:31 PM
>>> To: Fed Talk
>>> Subject: [Fed-Talk] Mail.app ignores the "Verify Certificate"
>>> dialog?
>>>
>>> This isn't 100% Fed related, but I thought it would interest folks
>>> on
>>> this list.
>>>
>>> I'm staying in a hotel, and when I try to have Mail.app connect to
>>> smtp.google.com to send an email, I get the attached (does this list
>>> allow attachments?) dialog warning me that the certificate for
>>> smtp.google.com is a self-signed root cert from
>>> mail10.wildflower.net.
>>>
>>> I am told I can click "Connect" to "connect to the server anyway",
>>> or
>>> click "Cancel", which presumably drops the connection. When I click
>>> cancel, I then (after a few seconds) get a dialog telling me that
>>> the
>>> server "smtp.gmail.com" has rejected my password, and asking me to
>>> re-
>>> enter it. I am taking this to mean that even though I told
>>> Mail.app NOT
>>> to connect to the server, it went ahead and sent my password anyway,
>>> potentially providing an adversary with my password.
>>>
>>> I changed my Google Apps password just in case (and did not enter
>>> the
>>> new one in Mail.app), but this behavior seems to be very wrong.
>>> What is
>>> the point of warning me about an untrusted cert if it connects
>>> against
>>> my will anyway? Incidentally, the hotel is in Suffolk, VA.
>>>
>>> Thoughts?
>>>
>>> Dan
>>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden