Re: [Evolution] SSL certificates and Man in the Middle attacks

From: Bastien Durel <bastien geekwu org>
To: evolution-list gnome org
Subject: Re: [Evolution] SSL certificates and Man in the Middle attacks
Date: Mon, 10 Sep 2012 10:26:27 +0200

Le dimanche 09 septembre 2012 Ã 22:40 -0400, Jeff Fortin a Ãcrit :

Hi there,
As far as I can tell, Evolution uses a default set of SSL certificate
authorities.

[...]


Will the user get (I hope) a big scary "SOMETHING IS VERY WRONG" warning
like SSH does when server fingerprints don't match?

I'm of course not a security expert, but would like some reassurance
that Evolution is actually safe against this scenario.
Thanks

As users (mostly) ignore security warnings[1], it should be useless,
IMHO.
SSH does not targets same users than browsers or mail readers, so users
are more likely to read them. (And SSH keys doesn't expires, so you can
keep fingerprints for ages)

[1] http://lorrie.cranor.org/pubs/sslwarnings.pdf

-- 
Bastien Durel

Follow-Ups:
- Re: [Evolution] SSL certificates and Man in the Middle attacks
  - From: Andre Klapper
- Re: [Evolution] SSL certificates and Man in the Middle attacks
  - From: Adam Tauno Williams

References:
- [Evolution] SSL certificates and Man in the Middle attacks
  - From: Jeff Fortin

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]