Slashdot Mirror


Gmail Drops Support for Connecting To Pop3 Servers With Self -Signed Certs

DECula writes "In a move not communicated to its users beforehand, Google's Gmail servers were reconfigured to not connect to remote pop3 servers that have self-signed certificates, leaving folks with unencrypted connections, or no service when getting email from other services. Not good for the small folks. One suggestion was to allow placing the public keys on Google's side in the user configuration. That would be a heck of a lot better than just dropping users into never never land." Apparently, "valid" now means "paid someone Google approves to sign the certificate." It's not like commercial CAs have the best security track record either.

2 of 299 comments (clear)

  1. Re:Google should then provide signed certs by PlusFiveTroll · · Score: 4, Interesting

    Will it work with STARTSSL free personal certs?

    http://www.startssl.com/?app=1

  2. Re:You are wrong. by dch24 · · Score: 4, Interesting

    Examples of snooping that lack the ability to do a MITM attack:

    1. Listening to an encrypted wifi session, then breaking the encryption offline

    2. Tapping into undersea fiber (the listening party is going to have a hard enough time exfiltrating the snooped bytes; setting up a "take over" command and associated equipment is prohibitive due to both the technical and political risks)

    3. Listening device inside a government facility. China famously does this for example by using a small office-supply firm to get equipment into a US facility somewhere is Asia; the copy machine has a hard drive like any copy machine and there's nothing suspicious about that, right? And then you find the second, and the third, and the fourth hard drive hidden in places you would never look. The data is exfiltrated only when the machine is replaced as part of a regular service contract.
    Need I go on?