[Evolution] SSL certificates and Man in the Middle attacks



Hi there,
As far as I can tell, Evolution uses a default set of SSL certificate
authorities.

However, I've been told that the Certificate Authorities system is
fundamentally flawed, in the sense that CAs don't communicate with each
other, any of them can sign for any domain name, and I've been told some
CAs are quite un-trustworthy. This is a scary prospect.

Now, I never had to "accept" the certificate for Google to use GMail
through IMAP. To be honest, I would have expected some sort of prompt
that says, "Hey, this is the first time you're connecting to that
host... are you certain that you are on a trusted network connection and
the host you are connecting to is really the one it claims to be?"...

My question is thus the following: if the user is not the one manually
vetting the certificates, what happens when someone tries to do a
man-in-the-middle attack (ie: you're on an untrusted wifi, someone tries
to impersonate the GMail IMAP servers and provide a valid, signed
certificate that is different from Google's)?

Will the user get (I hope) a big scary "SOMETHING IS VERY WRONG" warning
like SSH does when server fingerprints don't match?

I'm of course not a security expert, but would like some reassurance
that Evolution is actually safe against this scenario.
Thanks




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]