Gary <[EMAIL PROTECTED]> rašė:
Hi Vilius,
On Wed, 16 May 2007 00:47:05 +0300 UTC (5/15/2007, 4:47 PM -0500 UTC my
time), Vilius Šumskas wrote:
because TB! is the only client on the face of the planet which will not
allow you to accept an expired cert, you have to install Stunnel and
configure it manually, then open up that first, then use TB! for that
server. You see the good people at Ritlabs will not allow you to trust
yourself to make a judgment whether you are smart enough to accept certs
that have expired on IMAP servers.
V> Actually this is very good decision. Many users just don't read what's
V> written on every popup. They press YES YES YES.
so ? If they have an IMAP account, they should not have to press YES after
the first go-around to accept the cert permanently. We are not talking about
every popup. It is standard procedure when first using an IMAPS account, to
ask one time, whether you wish to accept a cert, and if so, permanently, no
big deal. Standard procedure if you use SSL and IMAP.
V> And why on earth people use a certificate if it is expired? (or self
V> signed)?
I have been using one on a remote server, (along with my other customers)
for years, after it expired. It originally had a life of 3 years. Why should
I replace it? Does it not still encrypt the connection?
V> It can be very easily compromised and by accepting such certificate you
V> NEVER know if it comes from your server of from 3rd person in between.
You have fallen under the misconception of the "compromised server" syndrome
:) There is nothing to be compromised whether you use an expired cert or
not. See below please for the real understanding.
1. Your mail client has to find the server using DNS published records which
points to the IMAP server. Hardly room for any man-in-the- middle attacks,
since it is extremely difficult to poison DNS servers, let alone to find the
DNS server that you would be using.
2. Here is where your above statement is flawed. In order to log in your
server, you have to AUTHENTICATE.... you must provide a password or in combo
with CRAM-MD5 or some such, although it could be plain.
Most importantly........
3. IMAP certs do *nothing* except to encrypt the connection from the client
to the server. It has nothing to do with authentication, nothing to do with
compromising a server. We are not talking about e-commerce here, where you
send your credit card over the wire. We are talking about encrypting a
connection to/from an IMAP server. You still have to authenticate, if the
server is worth anything, and not a public server, in which case just use
port 143 without SSL. It is the authentication that is important.
It is possible to reverse engineer private key from a public key,
especially if you are using less than 1024bit private key encryption
(and please remember that for example in USA it is _enforced_ by law).
All you need is time. It is adviced to change your private/public key
pairs from time to time. This way you can be sure that the key was not
broken, stolen or compromised in any other way. That's why "valid
from" and "valid to" field was introduced in X.509 in the first place.
You can think of it like "password expiration".
In other words, certificate is a "vehicle of cryptographic trust" and
users should not trust certificate if it is expired.
4. Every other email client allows the user to choose whether he wishes to
accept a cert, any cert for IMAP. I'm a grown up guy, and I can make my own
decisions if I want to accept a cert or not. Jumping through hoops to get to
an IMAP server, after you used Stunnel a few 1000 times, is just a pain -
unnecessary I might add. It is just easier to use another client.
And how do you know that first time that you are accepting certificate
from a server if it is self-signed? I can easily view properties of
such certificates create my own CA and create exactly the same
certificate from the properties point of view. And not everyone has a
direct connection to the server to accept it that first time.
--
Best Regards,
Vilius
________________________________________________________
Current beta is 3.99.06 | 'Using TBBETA' information:
http://www.silverstones.com/thebat/TBUDLInfo.html
