Author Topic: 'SSL certificate has been changed' notification driving me crazy...  (Read 26315 times)

flupke01

  • Newbie
  • *
  • Posts: 4
I use 3 gmail (imap) accounts in Aquamail on my phone, which usually work fine. But since somewhere last summer, aquamail started showing the (for me very) well-known 'SSL certificate has been changed' notification. At first this happened not to often, maybe once every 3/5 weeks. I don't know exactly, didn't keep track of it... Last few months though the frequency of those events went up big time. Now I get those notifications multiple times a week. Sometimes I don't get them for a few days, and sometimes 3 times a day...

I've read all I could find about it. I know aquamail is doing what it is supposed to do. I check the information about the old and new certificate thoroughly, but every time it is the same: the old cert should be still valid  and the new one is obviously valid too. And both are from Google, like they should... Nothing suspicious there. Only strange thing is that the old cert is not expired yet. Most of the time I check the certs, accept the change and aquamail is fine again. But I found recently that sometimes not doing anything also works; after some time the notification just disappears and mail is being checked normally again...
I should also mention that this behavior also occurs on my tablet, and on my wife's phone and tablet.

I always used to have ssl set up as 'strict', but am now going to experiment with ssl accepting all, for just one of my gmail accounts; see what happens...

If anyone has a clue what I could do to get rid of this (amount of) notifications without lowering the security settings, I would be very, very happy to hear about it. This is so annoying. I get it if Google change the certs from time to time, but this frequency is ridiculous...

someone

  • Sr. Member
  • ****
  • Posts: 415
Re: 'SSL certificate has been changed' notification driving me crazy...
« Reply #1 on: February 04, 2017, 04:30:58 am »
It's not only with Gmail. I'm having the same problem, repeatedly.
I've used Aquamail for years and this only started happening recently. I wish I could go back to an earlier version.

Davey126

  • Sr. Member
  • ****
  • Posts: 258
Re: 'SSL certificate has been changed' notification driving me crazy...
« Reply #2 on: February 04, 2017, 10:55:44 pm »
If anyone has a clue what I could do to get rid of this (amount of) notifications without lowering the security settings, I would be very, very happy to hear about it. This is so annoying. I get it if Google change the certs from time to time, but this frequency is ridiculous...
It's not only with Gmail. I'm having the same problem, repeatedly.
I've used Aquamail for years and this only started happening recently. I wish I could go back to an earlier version.
Nothing to do with recent builds. Google regularly rotates SSL certificates (annoying). Best solution IMO is is to deselect 'SSL validation' in security settings. Yes, this removes a layer of security but others remain. Assess the exposure and decide if the benefits outweigh the risk. There are other ways to detect MITM attacks if you are seriously worried about that. 

StR

  • Hero Member
  • *****
  • Posts: 1558
Re: 'SSL certificate has been changed' notification driving me crazy...
« Reply #3 on: February 05, 2017, 02:51:44 am »
Let me respond to previous posts in an attempt to explain what is happening. (I believe in knowledge as a basis for decisions.) And to propose an option to Kostya:

1. It is not the client. It is the servers. It used to be that the SSL certificates on the server were valid for 1-3 years, and they were replaced just before they were expiring. Recently Google started changing them about once a month. I agree, it's a bit annoying. (And then, you get a chance of seeing flip-flop if you happen to connect to a server with a new certificate, then to one with the old one, and then again to the one with the new one, -- could be on the same day.)
At the same time, there is a push toward moving all web traffic from http to https. For this reason, many websites who had never had SSL certificates need those. Most certificates are not free. But there is a recent provider, Let's Encrypt, that provides free SSL certificates that are only valid for 3 months: https://letsencrypt.org/
So, you may see many small providers switching to those.
And with the "Let's Encrypt", the automated renewal of certificates happens for those certificates that are less then 1-month before the expiration. That makes the actual life of a certificate to be about 2 months.

2. Before I go to what Aquamail does with the certificates, I need to mention two (or three) roles that SSL certificates play in the secure communications:
a) to encrypt the exchange of information, and
b) to authenticate that the communicating side/participant (server, client) is who it claims to be.
Actually, the latter, has two possible aspects:
i) It is verified through the "trusted authority" that they are who they are (And then there are different levels of that verification, as different Trust Authorities may require different confirmations: some just confirm that the server indeed can control the domain, while others require confirmation of the entity name used in the certificate. But we are not going to go this deep here.)
ii) It is confirmed that it is the same participant (server) as you've already communicated previously (independently of whether it may or may not be verified through a trusted authority).

Unfortunately (b.ii) is largely defeated by the frequent change of the certificates.
Moreover, unfortunately, I am not aware of any web browsers or even any other e-mail clients that inform you about change of the certificate while the new certificate is valid.
I know only two categories of software where this change is tracked: all SSH implementations [that I've seen], and  Aquamail.
None of the webservers, none of the e-mail clients (of those that I've seen), none of the "MTA's" (mail transfer agents, i.e. servers transmitting e-mails between servers via SMTP protocol), none of the source control software (here my information is primarily based on my conversations with software developers who use those), or any other software that relies on certificates (SSL).

3. Aquamail behavior with respect to the certificates. I remember reading Kostya's explanation about this behavior, and while I understood (I think) his explanation, I was confused.
Here is a summary of my understanding:
a) Aquamail checks the validity of the certificate. IIRC, that includes the check of the entire chain down to the root certificate. That is done if "strict checking" enabled. (I.e. if the server has a self-signed certificate or a certificate without the root authority known to the device, Aquamail will not continue with the connection.) If the strict checking is disabled, then, essentially the certificate is used to encrypt the password exchange and the rest of the communication, and a self-signed certificate is sufficient.

Then, a separate issue is tracking if the certificate for the server is the same as the one used before. This is a defense for the man-in-the-middle (mitm) attack, where a rogue server is pretending to be the right one. As far as I understand, the logic behind this check is that the rogue server trying to impersonate the target server may have a certificate that may look valid, and might even check out to some valid (known) root CA. That's why Aquamail offers an option to accept or reject the new certificate.

This is a good functionality. But in view of the frequent rotation of the certificates, it becomes annoying, and as a result, it looses its importance, as most users just automatically click on "accept". (You might remember a period when one of the web browsers started by default confirming every cookie it was receiving - and people just turned that off.)

Now, something that I am not 100% sure:
1) I suspect that turning of "Strict checking" under server settings for the account would disable confirmation when the SSL certificate changes.  Is that the case?

2) If that's the case, - I'd rather have two separate options: (A) don't be strict on verifying the certificate chain, and (B) do not ask about changing certificate if it is completely verified (probably only in the sense of "strict checking").
In this case one can choose (B) but not (A), and have strict verification without the annoyance from Gmail servers (or potentially many other providers).
(As discussed above, essentially, all email clients that I know implement (B) as the standard behavior without giving an option otherwise.)

@Kostya, I greatly appreciate the fact that the confirmation for the change of certificate exists in Aquamail. This is an indication that you are concerned about security. But it would make great sense to separate the options as proposed above. Furthermore, I'd suggest it would make sense to keep them separate for different accounts (as it is done now for the existing option).
I apologize if I misunderstood and/or missed something in the interpretation of Aquamail behavior/options.

Kostya Vasilyev

  • Hero Member
  • *****
  • Posts: 12740
Re: 'SSL certificate has been changed' notification driving me crazy...
« Reply #4 on: February 05, 2017, 05:31:37 pm »
@StR, thank you for a great and very accurate (almost to the end) explanation.

Quote
Now, something that I am not 100% sure:
1) I suspect that turning of "Strict checking" under server settings for the account would disable confirmation when the SSL certificate changes.  Is that the case

Nope. The two validations -- 1) CA "chain of trust" and 2) SSL cert changes -- are fully independent.

The reason SSL cert change tracking exists is precisely because the CA chain of trust can be compromised.

----

Now, StR is completely on the mark with the rest of the explanation.

When you ask Aqua Mail to track SSL cert changes (it is off by default), then that's exactly what it's going to do.

If a particular mail server rotates its SSL certs often, then the "hey look the cert is different" error will trigger after each "new" cert, as expected, but yes it can get annoying.

There is nothing wrong with Aqua Mail's logic here -- if you ask it to track SSL cert changes, then it will.

Please note that since a few months (the previous update, not this 1.8 in "beta"), the app got better about remembering the "already seen" certificates, and should not trigger on back-and-forth cert changes which it did before.

And actually, you can see the difference between the "known" and the "new" certs in Aqua's "SSL cert change, please confirm" dialog.

For Gmail, I see the expiration dates getting bumped every time by just a bit. For example a "known" cert with an April 10 2017 expiration will get replaced by a new one with an April 18 expiration, and so on.
Creating debug logs for diagnostics: https://www.aqua-mail.com/troubleshooting/

The official FAQ: https://www.aqua-mail.com/faq/

Лог-файлы для диагностики: https://www.aqua-mail.com/ru/troubleshooting/

Вопросы и ответы: https://www.aqua-mail.com/ru/faq/

StR

  • Hero Member
  • *****
  • Posts: 1558
Re: 'SSL certificate has been changed' notification driving me crazy...
« Reply #5 on: February 06, 2017, 12:59:50 am »
Thank you Kostya for the clarification, I knew that those processes were separate; my question was about the configuration option. Recently, I couldn't find the option responsible for tracking the change of the certificate.
Finally, I just have? found it under Settings - Network.
And I think that is what the OP is looking for.

Maybe you can consider making it configurable per account.
For myself, I would consider disabling it for gmail-based accounts,  while keeping it enabled for the rest.

mikeone

  • Hero Member
  • *****
  • Posts: 2762
Re: 'SSL certificate has been changed' notification driving me crazy...
« Reply #6 on: February 06, 2017, 02:07:52 am »
Thank you Kostya for the clarification, I knew that those processes were separate; my question was about the configuration option. Recently, I couldn't find the option responsible for tracking the change of the certificate.
Finally, I just have? found it under Settings - Network.
And I think that is what the OP is looking for.

Maybe you can consider making it configurable per account.
For myself, I would consider disabling it for gmail-based accounts,  while keeping it enabled for the rest.
+1

I second this.

Davey126

  • Sr. Member
  • ****
  • Posts: 258
Re: 'SSL certificate has been changed' notification driving me crazy...
« Reply #7 on: February 06, 2017, 06:30:43 pm »
Thank you Kostya for the clarification, I knew that those processes were separate; my question was about the configuration option. Recently, I couldn't find the option responsible for tracking the change of the certificate.
Finally, I just have? found it under Settings - Network.
And I think that is what the OP is looking for.

Maybe you can consider making it configurable per account.
For myself, I would consider disabling it for gmail-based accounts,  while keeping it enabled for the rest.
Yep - would nice to kill it only for specific providers.

someone

  • Sr. Member
  • ****
  • Posts: 415
Re: 'SSL certificate has been changed' notification driving me crazy...
« Reply #8 on: February 07, 2017, 03:18:41 am »
found it under Settings - Network.
Which specific setting should be turned off?

Davey126

  • Sr. Member
  • ****
  • Posts: 258
Re: 'SSL certificate has been changed' notification driving me crazy...
« Reply #9 on: February 07, 2017, 05:15:27 am »
re: Which specific setting should be turned off?

SSL Validation.

StR

  • Hero Member
  • *****
  • Posts: 1558
Re: 'SSL certificate has been changed' notification driving me crazy...
« Reply #10 on: February 07, 2017, 06:37:39 am »
@Kostya:

Looking at how the option is called ("SSL validation"), got me thinking that it is a misnomer (for more than 1 reason): First, it is not related to SSL per se, but rather to the SSL certificate, but I can see that you are trying to be brief. But second, and most importantly, - this option is not about validation of SSL certificates, which is controlled by "SSL strict" under account/server settings.
The description of the option is correct, which helps, but not the title.

I'd call it something like: "Track SSL cert[ificate] change", "Warn about SSL cert change" or "SSL cert change warning". (I am trying to make it brief while making it descriptive enough. ... and, of course, correct.)

someone

  • Sr. Member
  • ****
  • Posts: 415
Re: 'SSL certificate has been changed' notification driving me crazy...
« Reply #11 on: February 07, 2017, 03:48:57 pm »
re: Which specific setting should be turned off?

SSL Validation.
Thank you.

StR

  • Hero Member
  • *****
  • Posts: 1558
Re: 'SSL certificate has been changed' notification driving me crazy...
« Reply #12 on: February 07, 2017, 04:25:04 pm »
Please note that "brief" with abbreviation words in English, added to the new translation process (probably web based translalors, not using the app, with poor results) could lead to something totally strange in wording.

Your comment got me thinking about improving that process.
On one hand, you still want to have it brief in English (which sometimes can be jargonish, and as such hard to translate, especially by non-users). On another hand, - you want to have a clear meaning for the translator(s).
(We've seen this even before in this forum, when native speakers were confused about the meaning of the English phrase and were translating it essentially opposite to its intended meaning.)

One solution to that could be to have two lines in the code depository: one that is displayed by the app, and the other one, - a "full sentence" version that is just a comment (never used, never compiled into the app), - to be used as a basis for the translation.

Here it would be:
Display version: "Track SSL cert[ificate] change", "Warn about SSL cert change" or "SSL cert change warning"
Full-sentence version: "Warn about the change of the SSL certificate"

BTW, "cert" is widely used abbreviation, both in the computer world and beyond. See, e.g. Merriam-Webster: https://www.merriam-webster.com/dictionary/cert



StR

  • Hero Member
  • *****
  • Posts: 1558
Re: 'SSL certificate has been changed' notification driving me crazy...
« Reply #13 on: February 07, 2017, 11:00:51 pm »
BTW, for those interested why Google changes their certs so frequently, as far as I understand, the reason is what is called "forward secrecy": https://security.googleblog.com/2011/11/protecting-data-for-long-term-with.html?m=1
My understanding is that frequent rotation of certs forces renewal of the keys that are generated and exchanged upon successful authentication and used to encrypt the subsequent communication.

Kostya Vasilyev

  • Hero Member
  • *****
  • Posts: 12740
Re: 'SSL certificate has been changed' notification driving me crazy...
« Reply #14 on: February 07, 2017, 11:11:16 pm »
Re: wording:

Maybe "SSL certificate change detection"?
Creating debug logs for diagnostics: https://www.aqua-mail.com/troubleshooting/

The official FAQ: https://www.aqua-mail.com/faq/

Лог-файлы для диагностики: https://www.aqua-mail.com/ru/troubleshooting/

Вопросы и ответы: https://www.aqua-mail.com/ru/faq/