Hi Vilius et al, Wednesday, April 6, 2011, 12:00:16 PM, you wrote:
>> > You can do this by using standard plain text connection method. >> That is hard to do if the server, for example, only supports SSL >> connections (as is common practice today) and uses self-signed >> certs for that - and as such just as good as advising someone, who >> complains that a car lets him put in diesel where unleaded is >> needed, to try to run his car on wood. > I'm not sure why you think this is "a common practice". Sure it was > the case like 5 years ago, but now every major webmail provider, > bigger companies and even universities use good certificates. I use > 6 accounts for work and 2 personal accounts and all of them are > properly secured with proper certificates. And given what messages > IE, FF and Chrome throughs at users these days, I don't imagine who > is using self-signed ones. This is more of a philosophical discussion about PKE (Public Key Encryption). This might be a bit OT, if so we can carry on PM. There are 2 main uses for PKE. 1.- Certify endpoints. For this there must be an unbroken certificate chain from a trusted CA down through 0 or more intermediate certificates to the end certificate that is being used. For this purpose Vilius is right, self-signed certificates are no use. 2.- Secure communications channel. The communication is opaque to all but the 2 endpoints that are communicating. When you perform IMAP/POP3/SMTP authentication you are sending your login details, you definitely don't what people to read that, and you might not want them to read the mail contents either. For this purpose self-signed certificates are perfectly OK. As a small aside, even for purpose 1 the current implementation is flawed. It all goes down to having a few trusted 100% secure Root CA. This is not actually the case. Some CA have been compromised in the past, which is one problem, another is that some countries have their own internationally recognised government controlled CA, which then allows the government to mount man-in-the-middle attack on SSL traffic going through their country. I want The Bat! to store the self-signed certificate so that I can simplify purpose 2 above. Regards. -- __ _ Debian GNU User Simon Martin / /(_)_ __ _ ___ __ __ Project Manager / / | | '_ \| | | \ \/ / Milliways / /__| | | | | |_| |> < mailto: smar...@milliways.cl \____/_|_| |_|\__,_/_/\_\ Si Hoc Legere Scis Nimium Eruditionis Habes ________________________________________________________ Current beta is 5.0.6.1 | 'Using TBBETA' information: http://www.silverstones.com/thebat/TBUDLInfo.html
