BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] Delivering mail to folders

Subject: [Discuss] Delivering mail to folders
From: blu at nedharvey.com (Edward Ned Harvey (blu))
Date: Mon, 1 Feb 2016 22:50:38 +0000
In-reply-to: <56AFA61E.6000103@gmail.com>
References: <56AE7E30.8000002@thekramers.net> <BY2PR04MB18423BE3482CCEA9254F8560DCDD0@BY2PR04MB1842.namprd04.prod.outlook.com> <56AE96AD.2090105@thekramers.net> <BY2PR04MB184227277919A01002E80C12DCDE0@BY2PR04MB1842.namprd04.prod.outlook.com> <56AFA61E.6000103@gmail.com>

> From: Discuss [mailto:discuss-bounces+blu=nedharvey.com at blu.org] On
> Behalf Of Tom Metro
> 
> > Ever-so-slightly better than no encryption.
> 
> Huh? We're talking about using a self-signed cert for IMAP access, right?
> 
> Self-signed certs have all the same cryptographic benefits as a CA
> signed cert, including having your client validate the cert, if you
> install your own root cert on your clients.
> 
> The only down-side to self-signed certs is the inconvenience of having
> to install the root certs on your clients. This is why they aren't used
> for public web sites.

Creating a self-signed cert isn't the same thing as creating your own CA and installing the CA root as a trusted root on your clients. If you create your own CA and distribute your own CA root to all your clients - as you said - you'll get pretty good security (unless you screw something up). A self-signed cert is one which certifies itself. The client cannot follow any chain to a trusted root, so the client needs to either reject the cert, or prompt for user interaction (in which case, users almost invariably click "accept," and thus are easy to attack via MITM). If the user accepts the cert, some clients (such as firefox) have the option to do certificate pinning, so it won't prompt again when it sees the same self-signed cert, similar to the way ssh behaves when connecting to a new unrecognized server.

But if you have a client that prompts you to accept a self-signed cert, and you accept it, and the client pins it, and at a later time the cert changes (MITM attack)... Does the client prompt you again? Openssh refuses to talk to a server with a pubkey different from the pinned key, as it should. But every SSL client I've ever seen (firefox, chrome, ie, etc) will prompt you again to accept the unrecognized cert, so even highly technical and reasonably alert people are still vulnerable to the MITM attack on a self-signed cert. ... As David in particularly would be, because he mentioned a checkbox for "ssl accept any certificate," and asked "is that a good option?"

Follow-Ups:
- [Discuss] Delivering mail to folders
  - From: jabr at blu.org (John Abreau)

References:
- [Discuss] Delivering mail to folders
  - From: blu at nedharvey.com (Edward Ned Harvey (blu))
- [Discuss] Delivering mail to folders
  - From: tmetro+blu at gmail.com (Tom Metro)

Prev by Date: [Discuss] Delivering mail to folders
Next by Date: [Discuss] Delivering mail to folders
Previous by thread: [Discuss] Delivering mail to folders
Next by thread: [Discuss] Delivering mail to folders
Index(es):
- Date
- Thread


BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.