[Users] [Bug 2738] Erroneous rotation of SSL certificates

noreply at thewildbeast.co.uk noreply at thewildbeast.co.uk
Thu Sep 27 23:48:08 CEST 2012


http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2738


IgnorantGuru <ignorantguru at gmx.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|INVALID                     |




--- Comment #9 from IgnorantGuru  2012-09-27 23:48:08 ---
A few other thoughts on this, in case anyone is actually willing to consider
them without resorting to personal attacks.

Claws is unusual in that it asks the user to approve a cert ("Accept & Save"),
rather than verifying the sig and using it.  Fine, nice feature.  But the way
it's implemented is erroneous in that I already accepted and saved this newer
cert.  Yet it keeps prompting me to accept it over and over again, even though
I have done so.  That's the core of the problem, and why it makes Claws
behavior look stupid.  Accept means accept - don't ask me again.

Apparently the only way to avoid this annoying behavior at present is to
disable the 'accept' feature entirely and accept certs silently (thanks for the
suggestion regardless, Brad Rogers).  Because of UI deficiency, you're forcing
the user to lessen their security settings just to have a functional app, which
does not make for good security.

Surely there is some way that Claws could handle this more gracefully for the
user beyond asking the very same question over and over and over again, but
instead the issue is disregarded because the dev feels google's server is
"abnormal".  Try taking a look at the behavior of your own app in this
situation if you want to see "abnormal".  That's the job of an email client -
managing the underlying issues in a reasonable way for the user.  Claws fails
in this area due to an incomplete implementation of the 'Accept & Save'
feature.

I'm no fan of Google and I don't defend everything they do, but here I don't
think they're doing anything so unreasonable.  Google isn't going to change to
accommodate Claws, but Claws can adapt in the case, for the sake of Claws
users, without jeopardizing security at all (in fact improving it since the
current suggestion seems to be 'silently accept everything').

This is a simple UI failure, but perhaps due to some resentment toward GMail by
the Claws devs, they refuse to address the problem.  I think there is an
intelligent and simple way for Claws to handle this situation gracefully, but
it's being ignored for the sake of egos.

-- 
Configure bugmail: http://www.thewildbeast.co.uk/claws-mail/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.



More information about the Users mailing list