[Users] [Bulk] [Bug 2738] Erroneous rotation of SSL certificates

ratinox at gweep.net ratinox at gweep.net
Fri Sep 28 22:41:31 CEST 2012

On Fri, 28 Sep 2012 19:28:02 +0100
Kevin Chadwick <ma1l1ists at yahoo.co.uk> wrote:

> Conversely though there is no difference between accepting three
> previously accepted certificates as accepting one as long as the same
> checks have occurred and it is not silent, as going back to an old
> certificate could be a problem but as long as the user is made aware
> perhaps with when it was last seen, it shouldn't be. 

Well, yes, there is. Once an SSL certificate is superseded it is
superseded forever. This follows from the requirement that a socket
have exactly one certificate.

Say that a compromised Comodo or DigiNotar certificate for Google got
into your certificate cache. If Claws Mail did what you describe then it
would continue to silently use this valid (because it is valid within
the CA trust structure) certificate until the compromise is discovered
and the certificate is revoked. Or, as in the DigiNotar case, the entire
CA is removed from the root CA list.

Since you've mistakenly, unwittingly perhaps, approved the valid but
inauthentic certificate it will be used whenever you get the spoofed
socket instead of the real deal. And it will continue to be used
forever or until its expiry date or until revoked once someone notices.

Or you can use Claws Mail in its default state which will let you know
that maybe something isn't kosher.

\m/ (--) \m/

More information about the Users mailing list