Author Topic: Gmail SSL Certs  (Read 3988 times)

madra

  • Newbie
  • *
  • Posts: 20
Gmail SSL Certs
« on: September 07, 2017, 12:01:06 pm »
I know this has been covered before and I know the reason why AquaMail throws up SSL errors when using Gmail accounts [due to Google's policy of rotating their SSL certs, which renders the current one invalid].

However, over the past week or so, it seems that Google have upped the frequency with which they rotate their certs. Whereas before, I might go several days or a week without getting this error, over the past few days, I've been seeing it almost on a daily basis. It's getting to the stage where the hassle of having to continually clear these errors on my several Gmail accounts across my couple of Android devices is beginning to outweigh the benefits of having the 'SSL Certificate Change Detection' option set, in the first place.

Is there any chance that this option could be expanded to add an option to disregard SSL Cert changes on Gmail accounts?... or is it possible to make AquaMail a bit smarter in this regard, so that it can tell that the new SSL Cert has also been issued by Gmail and not flag it up as a security violation?

StR

  • Hero Member
  • *****
  • Posts: 1558

Kostya Vasilyev

  • Hero Member
  • *****
  • Posts: 12740
Re: Gmail SSL Certs
« Reply #2 on: September 08, 2017, 08:39:34 pm »
Just in time it seems :)
Creating debug logs for diagnostics: https://www.aqua-mail.com/troubleshooting/

The official FAQ: https://www.aqua-mail.com/faq/

Лог-файлы для диагностики: https://www.aqua-mail.com/ru/troubleshooting/

Вопросы и ответы: https://www.aqua-mail.com/ru/faq/

madra

  • Newbie
  • *
  • Posts: 20

madra

  • Newbie
  • *
  • Posts: 20
Re: Gmail SSL Certs
« Reply #4 on: September 11, 2017, 05:58:07 pm »
Hmmm... it doesn't seem to be working. I'm running the 1,12,0-587-dev build you linked to and I've just had the SSL Cert error on all my Gmail accounts again. Do I have to do anything to enable the new feature? I thought it was on by default.



« Last Edit: September 12, 2017, 08:33:57 pm by madra »

Kostya Vasilyev

  • Hero Member
  • *****
  • Posts: 12740
Re: Gmail SSL Certs
« Reply #5 on: September 12, 2017, 09:33:37 pm »
No there is no setting.

Please post / send a screenshot of the "ssl cert confirmation" dialog with the details of the new certificate all visible.

Creating debug logs for diagnostics: https://www.aqua-mail.com/troubleshooting/

The official FAQ: https://www.aqua-mail.com/faq/

Лог-файлы для диагностики: https://www.aqua-mail.com/ru/troubleshooting/

Вопросы и ответы: https://www.aqua-mail.com/ru/faq/

madra

  • Newbie
  • *
  • Posts: 20
Re: Gmail SSL Certs
« Reply #6 on: October 12, 2017, 03:14:16 pm »
Sorry for the delay in getting back with this. I got so used to absentmindedly clicking away these alerts, that I kept forgetting to screengrab the cert details first.



As an aside, Google seem to be upping the certificate change frequency again at the moment. I've had three in the past four days. So I've disabled SSL hardening in AquaMail's prefs for now, as it was becoming too much of a hassle to have to keep dismissing these --especially since I have 4 Gmail accounts.

Kostya Vasilyev

  • Hero Member
  • *****
  • Posts: 12740
Re: Gmail SSL Certs
« Reply #7 on: October 13, 2017, 08:07:34 pm »
@madra thanks unfortunately your screenshots all have the "old" certificate ("seen previously") not the "new" certificate which I needed to see.

Oh well, there is always a next time.
Creating debug logs for diagnostics: https://www.aqua-mail.com/troubleshooting/

The official FAQ: https://www.aqua-mail.com/faq/

Лог-файлы для диагностики: https://www.aqua-mail.com/ru/troubleshooting/

Вопросы и ответы: https://www.aqua-mail.com/ru/faq/

korin

  • Newbie
  • *
  • Posts: 3
Re: Gmail SSL Certs
« Reply #8 on: November 08, 2017, 10:41:35 am »
*edit: just saw the link to the update for handling gmail cert changes, thanks I'll check that out. Still the suggestion below seems like it could potentially help with other email providers who update certs frequently*

Would it be possible to provide an option to alert on certificate change only if the subject and/or issuer changes? It seems like this would allow google to update their cert all day long without harassing users but should catch any MITM attacks.
« Last Edit: November 08, 2017, 10:45:44 am by korin »

Kostya Vasilyev

  • Hero Member
  • *****
  • Posts: 12740
Re: Gmail SSL Certs
« Reply #9 on: November 10, 2017, 08:34:04 pm »
Quote
Would it be possible to provide an option to alert on certificate change only if the subject and/or issuer changes? It seems like this would allow google to update their cert all day long without harassing users but should catch any MITM attacks.

What should we label this proposed setting --

"allow MITM attacks to succeed"?

Just a reminder - if you find this feature annoying, please please please just turn it off. Don't torture yourself.
Creating debug logs for diagnostics: https://www.aqua-mail.com/troubleshooting/

The official FAQ: https://www.aqua-mail.com/faq/

Лог-файлы для диагностики: https://www.aqua-mail.com/ru/troubleshooting/

Вопросы и ответы: https://www.aqua-mail.com/ru/faq/