Author Topic: 'SSL certificate has been changed' notification driving me crazy...  (Read 26325 times)

Davey126

  • Sr. Member
  • ****
  • Posts: 258
Re: 'SSL certificate has been changed' notification driving me crazy...
« Reply #30 on: February 09, 2017, 08:06:43 pm »
Yep - OAuth is easy, quick and reasonably secure. Best choice IMHO for the 99% of the Gmail community. Purests hate it (of course) but the vunerabalities are mostly therotical and/or behavioral which somewhat laughable when put in context of the stereotypical Gmail user.

I am not a "purist". And my experience with OAuth is very limited. But a quick Google search indicates that improper implementation of OAuth (which happens a lot!) by apps and website can result in many compromised accounts. And that's a situation where you, as a user have very limited recourse (short of not using any of those resources or OAuth).
See, e.g., http://homakov.blogspot.com/2012/07/saferweb-most-common-oauth2.html (note the list of popular websites that had an improper implementation: pinterest, digg, soundcloud, bit.ly, etc.) and https://threatpost.com/oauth-2-0-hack-exposes-1-billion-mobile-apps-to-account-hijacking/121889/
Yes - I am aware of the vulnerabilities (albeit not the complete list of 'bad' sites), understand personal exposures (where/when to use OAuth) and have sufficient background to assess the risk envelope. In the presence of a better approach AND absence of careless/carefree/ignorant consumers OAuth would be be improved and/or depreciated. That's obviously not the case as evidenced by the security practices of the vast majority of those who utilize online services. OAuth joins Stagefright, Heartbleed, Badblock, massive MITM coffee shop attacks, etc., etc. being the next 'bad boy' and media darling. What's needed is a radically different approach for online authentication/security which we likely won't see for years or decades.

This is obviously going OT - time to move on.

Kostya Vasilyev

  • Hero Member
  • *****
  • Posts: 12740
Re: 'SSL certificate has been changed' notification driving me crazy...
« Reply #31 on: February 10, 2017, 09:57:06 pm »
This is getting more and more off topic, but I can't resist :)

- OAUTH and SSL certs are not related to each other (besides the obvious that API calls to refresh OAUTH tokens are protected by SSL, when it is necessary for the app to talk to web APIs for OAUTH2; this is not necessary for Gmail accounts already present in the phone's Settings).

- Gmail requires OAUTH2 for all new accounts, and for old accounts, they've been gradually turning it on (not sure if it's fully completed yet). The wording on the user accessible setting to turn this off is such ("less secure apps") that users get scared.

- Yahoo is following Gmail's lead (except they still haven't provided a way for mail apps to implement it).

So at this point, OAUTH2 is pretty much mandatory for Gmail (and Aqua also supports it for Hotmail and Yandex).
Creating debug logs for diagnostics: https://www.aqua-mail.com/troubleshooting/

The official FAQ: https://www.aqua-mail.com/faq/

Лог-файлы для диагностики: https://www.aqua-mail.com/ru/troubleshooting/

Вопросы и ответы: https://www.aqua-mail.com/ru/faq/

StR

  • Hero Member
  • *****
  • Posts: 1558
Re: 'SSL certificate has been changed' notification driving me crazy...
« Reply #32 on: February 10, 2017, 11:26:59 pm »
Just FYI: I am still using non-OAuth authentication on a desktop and on my phone, in Aquamail.


Actually, Kostya, I have a question about that.
One of the reasons (or, maybe motivations) for that was the following line of thought:
With OAuth2, the authentication to the Google account is handled by the phone itself, and there is a potential for any other app that has access to the "accounts" on the phone may:
1. Realize relation between different Google accounts of mine.
and even
2. Gain access to those accounts (by exploiting some unpatched vulnerability in Android in combination with the weaknesses of OAuth2 [implementation]).
I thought, that the password-based authentication information stored by Android would be less prone to both of those.

Is there a reasonable merit in this consideration, or are the password-based accounts created by Aquamail as vulnerable?
(I am not considering cases when the phone is completely compromised to the level of system/root permissions, when the entire system is accessible to the code with those permissions.)

And finally, with an OAuth2-based authentication in Aquamail, can Google Play service(s) (and, hence other Google apps) on the phone obtain access to that account, or is that Oauth2 token limited to Aquamail? (And, sorry, this is a deeper question: What actually pins it to Aquamail only?)

Davey126

  • Sr. Member
  • ****
  • Posts: 258
Re: 'SSL certificate has been changed' notification driving me crazy...
« Reply #33 on: February 11, 2017, 02:06:17 am »
Just FYI: I am still using non-OAuth authentication on a desktop and on my phone, in Aquamail.


Actually, Kostya, I have a question about that.
One of the reasons (or, maybe motivations) for that was the following line of thought:
With OAuth2, the authentication to the Google account is handled by the phone itself, and there is a potential for any other app that has access to the "accounts" on the phone may:
1. Realize relation between different Google accounts of mine.
and even
2. Gain access to those accounts (by exploiting some unpatched vulnerability in Android in combination with the weaknesses of OAuth2 [implementation]).
I thought, that the password-based authentication information stored by Android would be less prone to both of those.

Is there a reasonable merit in this consideration, or are the password-based accounts created by Aquamail as vulnerable?
(I am not considering cases when the phone is completely compromised to the level of system/root permissions, when the entire system is accessible to the code with those permissions.)

And finally, with an OAuth2-based authentication in Aquamail, can Google Play service(s) (and, hence other Google apps) on the phone obtain access to that account, or is that Oauth2 token limited to Aquamail? (And, sorry, this is a deeper question: What actually pins it to Aquamail only?)
It's important to distinguish between authorization and authentication. Native OAuth only provides the former. Another layer (OpenID is often mentioned) is required for authentication if that functionality is required.

Unlike desktop operating systems I don't believe Android provides a native mechanism to store/secure application passwords. I believe it is up to the app to take appropriate measures.

As an aside I ran across this article while trolling the web. Note the positioning of AquaMail and additional kudos given to the clarity of the Privacy Policy. Well done Kostya!

http://androidforums.com/threads/email-which-apps-keep-it-private.935578/

Excerpt:

NOTE: The AquaMail privacy policy statement linked below is not the usual boring legalese. Written in plain language, it's actually informative and interesting, and is the only one to mention any security testing.
AquaMail Privacy Policy
This is how it should be done! A must read!
http://www.aqua-mail.com/?page_id=1878

StR

  • Hero Member
  • *****
  • Posts: 1558
Re: 'SSL certificate has been changed' notification driving me crazy...
« Reply #34 on: February 11, 2017, 08:43:42 am »
http://androidforums.com/threads/email-which-apps-keep-it-private.935578/
Yep.
The OP of that thread, Crashdamage [RIP], was on this forum too, and that thread was discussed and referenced here shortly after it was started there.
Quite a few people have found Aquamail from that thread there.

I hadn't known Crashdamage much, but from what I've learned, he made a nice contribution to Androidforums community, and I saw a thread there with very kind words from people when he wrote about what was imminently coming, and very warm posts remembering him after he passed away.


Davey126

  • Sr. Member
  • ****
  • Posts: 258
Re: 'SSL certificate has been changed' notification driving me crazy...
« Reply #35 on: February 11, 2017, 04:11:52 pm »
I hadn't known Crashdamage much, but from what I've learned, he made a nice contribution to Androidforums community, and I saw a thread there with very kind words from people when he wrote about what was imminently coming, and very warm posts remembering him after he passed away.
Thanks for that background. I read some posts in the thread you referenced. Quite a following; he did things right.

http://androidforums.com/threads/thanks-sorry-i-have-to-go.1006847
« Last Edit: February 11, 2017, 11:14:43 pm by Davey126 »

StR

  • Hero Member
  • *****
  • Posts: 1558
Re: 'SSL certificate has been changed' notification driving me crazy...
« Reply #36 on: February 11, 2017, 07:37:44 pm »
It's important to distinguish between authorization and authentication. Native OAuth only provides the former. Another layer (OpenID is often mentioned) is required for authentication if that functionality is required.

Unlike desktop operating systems I don't believe Android provides a native mechanism to store/secure application passwords. I believe it is up to the app to take appropriate measures.

Yes, you are correct. Sorry, I used the term loosely.
Although, it is not just me, it appears to be a frequent practice. By jargonish "OAuth authentication", people usually mean the authentication+authorization scheme that is build around OAuth.
I stand corrected.

Actually, the field has a bunch of such jargons. E.g. people call "SSL" or "SSL connection" everything that relies on x.509 certificates (aka SSL certificates), and not just SSL per se, but also TLS.

flupke01

  • Newbie
  • *
  • Posts: 4
Re: 'SSL certificate has been changed' notification driving me crazy...
« Reply #37 on: March 02, 2017, 01:07:13 pm »
Being the OP I try to follow the discussion here, but it's gotten a bit to technical for me (and a bit off-topic as well  ;)). Though I do appreciate how much effort you guys are taking regarding this matter! This community is really taking things seriously, nice to see.

The last month I tried out the effect of setting 'ssl accepting all', and that seemed to work good for a few weeks. Sadly, last week notifications started popping up again, and a lot too...  :-\
What puzzles me is the fact that when I get a notification, the concerning account is at the same time normally accessible using the Gmail app (but this is not really very relevant like being a solution, as I'm a convinced Aquamail-fan). But I do wonder how this is possible?

Am I correct when I think the best solution for me would be to set the Gmail account to 'strict' again, combined with disabling 'SSL validation' in settings > network? Or am I proving right now that I did not understand where you guys are talking about  ;)

Also, if this is to be the best solution, being a compromise as it is, I think it would indeed be very handy when this could be a per-account setting... Could not really figure out if this is being considered as a possible change in the app?
 

StR

  • Hero Member
  • *****
  • Posts: 1558
Re: 'SSL certificate has been changed' notification driving me crazy...
« Reply #38 on: March 02, 2017, 03:38:56 pm »
The last month I tried out the effect of setting 'ssl accepting all', and that seemed to work good for a few weeks. Sadly, last week notifications started popping up again, and a lot too...  :-\
What puzzles me is the fact that when I get a notification, the concerning account is at the same time normally accessible using the Gmail app (but this is not really very relevant like being a solution, as I'm a convinced Aquamail-fan). But I do wonder how this is possible?
In the practical situation you are discussing (Gmail certs changing) "ssl accepting all" will not play a role in the frequency of notifications (unless, of course, there would be "bad" certs from Gmail).

Am I correct when I think the best solution for me would be to set the Gmail account to 'strict' again, combined with disabling 'SSL validation' in settings > network? Or am I proving right now that I did not understand where you guys are talking about  ;)
You are correct.

Also, if this is to be the best solution, being a compromise as it is, I think it would indeed be very handy when this could be a per-account setting... Could not really figure out if this is being considered as a possible change in the app?
+11111111

Davey126

  • Sr. Member
  • ****
  • Posts: 258
Re: 'SSL certificate has been changed' notification driving me crazy...
« Reply #39 on: March 02, 2017, 03:46:30 pm »
The last month I tried out the effect of setting 'ssl accepting all', and that seemed to work good for a few weeks. Sadly, last week notifications started popping up again, and a lot too...  :-\
What puzzles me is the fact that when I get a notification, the concerning account is at the same time normally accessible using the Gmail app (but this is not really very relevant like being a solution, as I'm a convinced Aquamail-fan). But I do wonder how this is possible?
In the practical situation you are discussing (Gmail certs changing) "ssl accepting all" will not play a role in the frequency of notifications (unless, of course, there would be "bad" certs from Gmail).

Am I correct when I think the best solution for me would be to set the Gmail account to 'strict' again, combined with disabling 'SSL validation' in settings > network? Or am I proving right now that I did not understand where you guys are talking about  ;)
You are correct.

Also, if this is to be the best solution, being a compromise as it is, I think it would indeed be very handy when this could be a per-account setting... Could not really figure out if this is being considered as a possible change in the app?
+11111111
Fully agree on all points. :)

mikeone

  • Hero Member
  • *****
  • Posts: 2762
Re: 'SSL certificate has been changed' notification driving me crazy...
« Reply #40 on: March 02, 2017, 09:01:53 pm »
Also, if this is to be the best solution, being a compromise as it is, I think it would indeed be very handy when this could be a per-account setting... Could not really figure out if this is being considered as a possible change in the app?
+1

For the time being it could be worth to try the very latest build 1.8.2-216-dev:

https://www.aqua-mail.com/forum/index.php?topic=5472.msg32785#msg32785

Quote
https://aqua-mail.com/download/AquaMail-market-1.8.2-216-stable-166fbf35da6a.apk

This build is our release candidate not in Play yet but planned for the next week. If there are any problems, please let us know

+ Android 7, "SSL hardening" turned on -> enable "Chacha / Poly" cipher (supported by Gmail).

Kostya Vasilyev

  • Hero Member
  • *****
  • Posts: 12740
Re: 'SSL certificate has been changed' notification driving me crazy...
« Reply #41 on: March 03, 2017, 06:42:40 pm »
Re: The last month I tried out the effect of setting 'ssl accepting all',

This setting has no effect on the "SSL cert change" logic.

Please set it back to "SSL strict", it's safer that way.

And if the "SSL cert change" notifications are bothering you, perhaps you'd like to turn off app settings -> network -> "SSL certificate change detection".

Re: the very latest build 1.8.2-216-dev

Has absolutely no changes in "SSL cert change tracking" logic.
Creating debug logs for diagnostics: https://www.aqua-mail.com/troubleshooting/

The official FAQ: https://www.aqua-mail.com/faq/

Лог-файлы для диагностики: https://www.aqua-mail.com/ru/troubleshooting/

Вопросы и ответы: https://www.aqua-mail.com/ru/faq/

Coolcmsc

  • Newbie
  • *
  • Posts: 2
Re: 'SSL certificate has been changed' notification driving me crazy...
« Reply #42 on: March 17, 2017, 02:24:20 pm »
Hi! New here. Have read this through. It remains unclear to me why:

1. This only affects my Gmail account on AquaMail (I also use live.com, fastmail.com, icloud.com, my own URL on 1and1.com via Gandhi.net)

2. When I use Gmail on other clients on Android, I don't get this problem.

PS: I do appreciate the dedicated and detailed information in this thread, but a simple bulleted list from you experts setting out actions and outcomes rated low to high security risk would help the majority of AquaMail users who, like me, are simply baffled by the no doubt very accurate explanations for actions the rest of us might take.
Ta!

Coolcmsc

  • Newbie
  • *
  • Posts: 2
Re: 'SSL certificate has been changed' notification driving me crazy...
« Reply #43 on: March 17, 2017, 02:38:03 pm »
There is an FAQ on the main site...almost unbelievable, but it's true:
http(colon)//www(dot)aqua-mail(dot)com/?page_id=227
You can also go to the FAQ from the App menu (last item)
+1

Have read this FAQ: it's a really good answer for us simpletons.

It would be great to know exactly what features of a (new) Gmail SSL Certificate would mark is as being genuine.

Any advice?

PS: Comparing it to the previous one is risky if, like me, you have already accepted an older Certificate which,of course, may itself be fraudulent.

Ta!

Davey126

  • Sr. Member
  • ****
  • Posts: 258
Re: 'SSL certificate has been changed' notification driving me crazy...
« Reply #44 on: March 17, 2017, 02:59:43 pm »
Hi! New here. Have read this through. It remains unclear to me why:

1. This only affects my Gmail account on AquaMail (I also use live.com, fastmail.com, icloud.com, my own URL on 1and1.com via Gandhi.net)

2. When I use Gmail on other clients on Android, I don't get this problem.

PS: I do appreciate the dedicated and detailed information in this thread, but a simple bulleted list from you experts setting out actions and outcomes rated low to high security risk would help the majority of AquaMail users who, like me, are simply baffled by the no doubt very accurate explanations for actions the rest of us might take.
Ta!
-Gmail/Google (unnecessarily) rotates security certificates on a frequent basis
- in AquaMail navigate Settings->Network and disable (untick) "SSL certificate change detection"
- there is no meaningful security risk associated with the above action unless you frequently use WiFi in puplic locations (even then the risk is ridiculously small relative to other exposures)