SSL (strict) means that the cert is validated against the CA's - i.e. will reject self-signed certs.
There is however *no* domain name validation - it's all too common for mail systems that offer "domain mail hosting"
- to *not* have "customer domains" in their certs, and yet
- have the mail servers under the custom domain names available
Really?!!!
You are not kidding, are you?
I cannot believe that's the way how it is implemented by such a knowledgeable and security-conscious person like you, Kostya!
I am shocked! Please tell me that I misunderstood something here...
Here is why:
TLS certificates have two purposes:
1. Verification (of who you are talking to) and
2. Encryption of the communication.
1. The purpose of the verification is to confirm that you are indeed talking to the server with the name that you expect.
So, before issuing the certificate, CA verifies, that that domain belongs to (under control of) the requester.
In case of the "extended" TLS certificates, there could be additional verification of the
entity to which the said server belongs (Bank, Governmental organization, etc.). But some CA's (including the aforementioned Let's Encrypt) do not do the latter.
For the purpose #2, a self-signed certificate is sufficient. Your communication will not be accessible for others, but you would not know who you are talking to (unless you received that site's certificate via trusted channels, and hence trust it).
So, essentially, when a user disables "strict checking" in Aquamail, he/she essentially says: "I don't really care who I am communicating with, as long as nobody else can hear it, and hopefully it will be my e-mail, and it will not be read by a MITM."
When that user wants to have certainty about the communication end-point, but he/she cannot (or shouldn't) use a certificate issued by a chain leading to a trusted CA, - the choice is to import the self-signed "root" certificate of that "self-CA" into the local device's database, thus adding it to the [locally] trusted CAs.
Sometimes that is done with privately issued certs (by a company, for access to the company resources).
Now, in a situation such as that discussed by the OP, essentially
NO verification is happening. So, the situation is not better than in case of the self-signed certificate + "strict check" option disabled. The situation is somewhat improved if the user enables "track certificate change" option, which is disabled by default, IIRC. In that case, the situation is getting close to that when a user imports a self-signed CA cert... but only until the server certificate changes. Then, all bets are off.
So, the present "strict SSL check" option in Aquamail is grossly
misleading.
Here is just one scenario of the MITM: A perpetrator takes (through a hack/exploit/social engineering/..) the SSL certificate of the server domain.com, and installs it on his evildomain.com, and then through traffic interception/diversion (either via traffic diversion or via DNS cache poisoning, or several other schemes), diverts Aquamail connection to evildomain.com. You are sure that you are connecting to domain.com (because you enabled
strict SSL checking), and submit your login-password credentials. Your account is compromised.
I know several users whose accounts were compromised via traffic interception/diversion (not via Aquamail).
I understand that you are simplifying your life by not hearing complaints from the users who are using providers in the way you described. But... No!... It is a BIG
BUTYou are subjecting all other users (who are doing everything right, using the right configuration with the correct provider, paying for the certificate for their domain with the correct CN or alternative names)
to the danger of having their accounts compromised.You are negating the very purpose why they obtained a proper certificate signed by a trusted CA.
Remember that
thread on AndroidForums by the late Crashdamage? I'd say that most of those advantages about privacy and security highlighted there are negated by this behavior of Aquamail.
In the situation you described, those users of the "el-cheapo" providers should use imap.provider.com and smtp.provider.com, not imap.catsanddogs.com, if they didn't pay for
the certs for their domain. (After all, it is only once that they need to configure it
manually.)
They chose a cheap option, and they are inconvenienced. And yes, sorry, you will be inconvenienced too, because they will be surprised why automatically chosen server is not working for them. But all other thorough users will not be subjected to the risk of being compromised.
(Alternatively, they can disable "Strict checking" in Aquamail and test their luck.)
I think this
hidden security hole must be fixed ASAP.
(It is so significant that I'd be forced to give up the legacy version that has "reflow-after-zoom", as well as a few features that don't exist in the later versions.)
The correct behavior would be if this functionality (not checking against the server name) was happening when "Strict checking" is disabled, whereas Aquamail would stop connecting and throw an error message when "Strict checking" is enabled, and if the server name doesn't match.