[Users] [Bug 2738] Erroneous rotation of SSL certificates

noreply at thewildbeast.co.uk noreply at thewildbeast.co.uk
Fri Sep 28 04:37:21 CEST 2012


--- Comment #13 from IgnorantGuru  2012-09-28 04:37:20 ---
> Google is wrong. Claws Mail is correct in barking about it. Even though it may
> look stupid to you it is the correct behavior according to the SSL
> specifications.

Thanks for your reply.  The specs say something about how to inform the user,
do they?  Very thorough specs.  If what you say about the specs is correct,
that doesn't mean Claws behavior to the user is 'correct'.  If it wants to bark
about it, it should do so in a functional way which enhances security and is
usable.  What it displays (again and again and again) is not a warning, it is a
dialog asking you to accept a cert, accept a cert, accept a cert, accept a
cert, accept a cert, and to compare information, compare information, compare
information, compare information, compare information.  What do you think
happens when the user is shown this a few hundred times?  It's effectively a
large number of false positive warnings, which reduces security (not to mention
driving users to disable it entirely).  This is what you call 'correct
behavior'?  I call it an unrefined and underdeveloped interface.

Further, we all know 'specs' are not the final word and are always growing and
adapting to new uses before the spec writers catch up to reality (which they
never do).  Other mail clients have adapted to this 'new normal'.  Two keys
having an overlap period of validity when being changed is not exactly unheard
of.  (Or if not exactly 'valid', at least recognize what is happening with some
intelligence.)  Google represents a new scale of mail server.  If I ran
something that large, I might fly a few canaries too.  Adaptation to reality
and common use rather than just specs is always necessary, at least if you want
software that behaves anywhere near reasonably.  To put it another way, if the
developer's mail server showed this problem, the fix would be mighty quick,
regardless of any 'specs' getting in the way of that, I assure you.  No
developer would tolerate this behavior - or at least no developer that knows
what a quality app looks like.  This is just a lack of will.

If I can see what's happening in these repeated and repeated and repeated and
repeated and repeated and repeated dialogs, Claws could be made smart enough to
see what's happening.  It would nice and much more effective to be informed of
the key change - once.  Like I said, this is merely a bit of lack of memory and
intelligence.  It's not a tough technical problem, there is simply no will to
correct it.  I accepted the cert - it's not expired, revoked, the sig is good -
I don't need to be asked again.

Defending the current behavior that the user sees is simply ridiculous, and
even more so by quoting SSL specs (I suspect you haven't even seen it or you'd
be embarrassed to defend it).  If the devs don't want to be bothered to fix
this obvious but limited problem, just have the nerve to say that, or leave it
open.  This discussion is obviously not worth continuing since there is simply
no will to even acknowledge the problem honestly.  Not everything is a
technical problem.

Configure bugmail: http://www.thewildbeast.co.uk/claws-mail/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the Users mailing list