[Users] Weird certificate update popups
Slavko
linux at slavino.sk
Wed Feb 19 23:16:09 UTC 2025
On 19. februára 2025 21:05:47 UTC, Michael Schwendt <bugs.michael at gmx.net> wrote:
>On Wed, 19 Feb 2025 16:07:21 +0000, Slavko wrote:
>
>> Are you aware, that Let's Encrypt announced support of certificates
>> valid for 6 days?
>
>Do I need to?
You must know. But it is often out of MUA's user control, i
will guess that not many CM users maintain email server...
>Claws Mail's developers have made the fully automatic accepting of valid
>certs an option in the settings, which defaults to "off". IOW, if you
>want to rely on it, then turn it "on" _and_ trust the CA chain.
It seems, that you are either confused me with someone
other or you are trying to move topic somewhere else. I
didn't ask for help, i asked to point me where requirement
to have equal certificates for all IPs is defined (as my
knowledge differs).
>Only if not automatically accepting a cert if it's "valid", you can
>add some brief plausability checks for Owner, Signer, fingerprint.
>If user only clicks away the notification dialog, it's not worse
>compared with automatically accepting the valid cert.
The difference is in "feel" word, the false feel of security
is worse than no security at all.
It is not big problem to generate fake certificate with all
items which looks as real. More problematic (up to
impossible in reasonable time) is make it valid -- signed
by some trusted CA's private key (without access to that
key). Of course which CAs are trusted remains open...
regards
--
Slavko
https://www.slavino.sk/
More information about the Users
mailing list