Hello TheBat! Beta Testers and Developers! Not a popular subject I take it, as it dies fairly quickly without being entertained as a valid issue. While I consider it a bug- or at least annoying at a minimum, I figure with a subject of "Feature wish" it my get some actual consideration over me beating that 'dead horse' again...
Issue- Initiate SSL or TLS session with POP/IMAP/SMTP server that presents an Incomplete certificate chain (has verifiable server certificate but lacks CA or issuer in the chain). ==== Discussion- Whenever the POP/IMAP/SMTP server fails to provide the root/CA certificate or full chain with the server certificate TB! pops up an "Unknown CA certificate" warning. In this warning dialog box is a few buttons with "OK" and "CANCEL" always selectable, giving temporary/session permission, but "View Certificate" and "Add to Trusted" are not selectable unless the server provides a full certificate chain. Not being able to view and or add to trusted forces the user to manually OK the session each and every time a connection is made to these servers. On accounts where this is true and automatic checking for new mail is set this dialog box can be hidden behind other windows and even hang the client and/or system if not answered in a timely fashion. If TB! is minimized to systray and the connection center is minimized to toolbar the only way to view the "Unknown CA Cert" dialog box to OK or Cancel is to right click on TB! in the system tray- bringing the focus of the "UKN CA" dialog to the front. I have had to set 4 different accounts with two servers to manual checking for new mail only due to this behavior. Strange thing is with one of these servers I already have the CA cert in my address book- it is there from the SMTP chain with this service (cotse.net). The other service (us.army.mil) remains unresponsive in my requests they negotiate POP/IMAP/SMTP sessions with a complete certificate chain- and doubt there will be many voices raising issue with this as other clients deal with it very easily. ==== Recommendation- The "Unknown CA Certificate" dialog box must give the User the ability to always select "View" allowing for a verification of server cert presented. When viewing certificates in this manner a "hash" or digital fingerprint should be made of the certificate that TB! will check against in all future sessions to protect against sudden changes, tampering, MitM issues, etc... The "Unknown CA Certificate" dialog box should give the User the ability to "Add to Trusted" any server certificate, chain complete or not, if they have viewed/verified and have determined this is from a server the User trusts (again, regardless if the server negotiates with a complete chain or not). ==== In closing- I would appreciate hearing other users input on this as well if it is a valid feature wish and whether it is considered from the Development team. Thank you. -- Most Sincerely, Mark (Army RedLeg) Enjoying TheBat! Professional Edition v.3.0.2.1 on Win2kSP4/PIII-600/512MB. coming to you "LIVE!, From Albuquerque" <g> Eric Howes' Protecting Your Privacy & Security: https://netfiles.uiuc.edu/ehowes/www/ Good chance you'll find *all* the goodies here: http://lists.gpick.com/ looking for a nice place off the beaten usenet path? join us: nntp://news.securecomp.org ________________________________________________________ Current beta is 3.0.2.1 Beta/1 | 'Using TBBETA' information: http://www.silverstones.com/thebat/TBUDLInfo.html IMPORTANT: To register as a Beta tester, use this link first - http://www.ritlabs.com/en/partners/testers/
