Gmail SSL Certs

[madra]

I know this has been covered before and I know the reason why AquaMail throws up SSL errors when using Gmail accounts [due to Google's policy of rotating their SSL certs, which renders the current one invalid].

However, over the past week or so, it seems that Google have upped the frequency with which they rotate their certs. Whereas before, I might go several days or a week without getting this error, over the past few days, I've been seeing it almost on a daily basis. It's getting to the stage where the hassle of having to continually clear these errors on my several Gmail accounts across my couple of Android devices is beginning to outweigh the benefits of having the 'SSL Certificate Change Detection' option set, in the first place.

Is there any chance that this option could be expanded to add an option to disregard SSL Cert changes on Gmail accounts?... or is it possible to make AquaMail a bit smarter in this regard, so that it can tell that the new SSL Cert has also been issued by Gmail and not flag it up as a security violation?

[StR]

https://www.aqua-mail.com/forum/index.php?topic=6030.msg36734#msg36734

[Kostya Vasilyev]

Just in time it seems

[madra]

https://www.aqua-mail.com/forum/index.php?topic=6030.msg36734#msg36734

Nice one! Downloading it as I write

[madra]

Hmmm... it doesn't seem to be working. I'm running the 1,12,0-587-dev build you linked to and I've just had the SSL Cert error on all my Gmail accounts again. Do I have to do anything to enable the new feature? I thought it was on by default.

[Kostya Vasilyev]

No there is no setting.

Please post / send a screenshot of the "ssl cert confirmation" dialog with the details of the new certificate all visible.

[madra]

Sorry for the delay in getting back with this. I got so used to absentmindedly clicking away these alerts, that I kept forgetting to screengrab the cert details first.



As an aside, Google seem to be upping the certificate change frequency again at the moment. I've had three in the past four days. So I've disabled SSL hardening in AquaMail's prefs for now, as it was becoming too much of a hassle to have to keep dismissing these --especially since I have 4 Gmail accounts.

[Kostya Vasilyev]

@madra thanks unfortunately your screenshots all have the "old" certificate ("seen previously") not the "new" certificate which I needed to see.

Oh well, there is always a next time.

[korin]

*edit: just saw the link to the update for handling gmail cert changes, thanks I'll check that out. Still the suggestion below seems like it could potentially help with other email providers who update certs frequently*

Would it be possible to provide an option to alert on certificate change only if the subject and/or issuer changes? It seems like this would allow google to update their cert all day long without harassing users but should catch any MITM attacks.

[Kostya Vasilyev]

Would it be possible to provide an option to alert on certificate change only if the subject and/or issuer changes? It seems like this would allow google to update their cert all day long without harassing users but should catch any MITM attacks.

What should we label this proposed setting --

"allow MITM attacks to succeed"?

Just a reminder - if you find this feature annoying, please please please just turn it off. Don't torture yourself.