On Saturday, October 23, 2004 at 1:34:00 PM [GMT -0500], Army Redleg wrote:
> Not a popular subject I take it, as it dies fairly quickly without > being entertained as a valid issue. Perhaps because not many have this problem. I'd normally not be too inclined to discuss a problem that doesn't affec me, but in this case I'll offer an opinion. :) I do use SSL/TLS, but I don't have the problem you're having since I do get offered all the certificate info/parts. > While I consider it a bug- or at least annoying at a minimum, I figure > with a subject of "Feature wish" it my get some actual consideration > over me beating that 'dead horse' again... Not to worry. You'll not be admonished for bringing this up more than once. However, the technically oriented members here tend to be sensitive about TB! being accused of buggy behaviour when it simply fails to cater to non-standard behaviour by servers. It doesn't really have to do this. It's the server admins who really aught to get their act together. However, I'm pragmatic on issues as these and understand that in the end, it's the users comfort and not standards conformation battles that do matter at the very end. I do realize that conformation to standards and user comfort do go hand in hand, so the clients and servers really aught to remain compliant. Providing workarounds is a really sensitive issue. Though it makes the user less frustrated in the end, one wonders what it will do to those who keep breaching the agreed on standards and getting away with it. They'll breach it again, and again, and again. Should this be allowed for security standards, especially when the breach is clearly not in the spirit of good security? > Discussion- > Whenever the POP/IMAP/SMTP server fails to provide the root/CA > certificate or full chain with the server certificate TB! pops up an > "Unknown CA certificate" warning. Shouldn't it? > In this warning dialog box is a few buttons with "OK" and "CANCEL" > always selectable, giving temporary/session permission, but "View > Certificate" and "Add to Trusted" are not selectable unless the server > provides a full certificate chain. Well, the certificate cannot be viewed without all the information. How can it be trusted without the full cert chain? So these are greyed out. > Not being able to view and or add to trusted forces the user to > manually OK the session each and every time a connection is made to > these servers. On accounts where this is true and automatic checking > for new mail is set this dialog box can be hidden behind other windows > and even hang the client and/or system if not answered in a timely > fashion. So you're wishing for a trust anyway button? :) > Recommendation- > The "Unknown CA Certificate" dialog box must give the User the ability > to always select "View" allowing for a verification of server cert > presented. > When viewing certificates in this manner a "hash" or digital fingerprint > should be made of the certificate that TB! will check against in all > future sessions to protect against sudden changes, tampering, MitM > issues, etc... > The "Unknown CA Certificate" dialog box should give the User the ability > to "Add to Trusted" any server certificate, chain complete or not, if > they have viewed/verified and have determined this is from a server the > User trusts (again, regardless if the server negotiates with a complete > chain or not). > ==== Interesting. Seems reasonable, though one wonders about the security of it. I guess you're more interested in transmission encryption more than strict authentication of the certificates? -- -= Allie =- ..... Using yesterday's technology to solve today's problems, tomorrow __________________________________________________ IMAP [ Client: The Bat!� v3.0.1.33 | Server: MDaemon Pro ] OS: Windows XP Pro (Service Pack 2) ________________________________________________________ Current beta is 3.0.2.1 Beta/1 | 'Using TBBETA' information: http://www.silverstones.com/thebat/TBUDLInfo.html IMPORTANT: To register as a Beta tester, use this link first - http://www.ritlabs.com/en/partners/testers/
