Hi Vilius, On Wed, 16 May 2007 00:47:05 +0300 UTC (5/15/2007, 4:47 PM -0500 UTC my time), Vilius Šumskas wrote:
>> because TB! is the only client on the face of the planet which will not >> allow you to accept an expired cert, you have to install Stunnel and >> configure it manually, then open up that first, then use TB! for that >> server. You see the good people at Ritlabs will not allow you to trust >> yourself to make a judgment whether you are smart enough to accept certs >> that have expired on IMAP servers. V> Actually this is very good decision. Many users just don't read what's V> written on every popup. They press YES YES YES. so ? If they have an IMAP account, they should not have to press YES after the first go-around to accept the cert permanently. We are not talking about every popup. It is standard procedure when first using an IMAPS account, to ask one time, whether you wish to accept a cert, and if so, permanently, no big deal. Standard procedure if you use SSL and IMAP. V> And why on earth people use a certificate if it is expired? (or self V> signed)? I have been using one on a remote server, (along with my other customers) for years, after it expired. It originally had a life of 3 years. Why should I replace it? Does it not still encrypt the connection? V> It can be very easily compromised and by accepting such certificate you V> NEVER know if it comes from your server of from 3rd person in between. You have fallen under the misconception of the "compromised server" syndrome :) There is nothing to be compromised whether you use an expired cert or not. See below please for the real understanding. 1. Your mail client has to find the server using DNS published records which points to the IMAP server. Hardly room for any man-in-the- middle attacks, since it is extremely difficult to poison DNS servers, let alone to find the DNS server that you would be using. 2. Here is where your above statement is flawed. In order to log in your server, you have to AUTHENTICATE.... you must provide a password or in combo with CRAM-MD5 or some such, although it could be plain. Most importantly........ 3. IMAP certs do *nothing* except to encrypt the connection from the client to the server. It has nothing to do with authentication, nothing to do with compromising a server. We are not talking about e-commerce here, where you send your credit card over the wire. We are talking about encrypting a connection to/from an IMAP server. You still have to authenticate, if the server is worth anything, and not a public server, in which case just use port 143 without SSL. It is the authentication that is important. 4. Every other email client allows the user to choose whether he wishes to accept a cert, any cert for IMAP. I'm a grown up guy, and I can make my own decisions if I want to accept a cert or not. Jumping through hoops to get to an IMAP server, after you used Stunnel a few 1000 times, is just a pain - unnecessary I might add. It is just easier to use another client. -- Gary ________________________________________________________ Current beta is 3.99.06 | 'Using TBBETA' information: http://www.silverstones.com/thebat/TBUDLInfo.html
