Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gmail Drops Support for Connecting To Pop3 Servers With Self -Signed Certs

Posted by Unknown on from the security-through-redefinition dept.

DECula writes "In a move not communicated to its users beforehand, Google's Gmail servers were reconfigured to not connect to remote pop3 servers that have self-signed certificates, leaving folks with unencrypted connections, or no service when getting email from other services. Not good for the small folks. One suggestion was to allow placing the public keys on Google's side in the user configuration. That would be a heck of a lot better than just dropping users into never never land." Apparently, "valid" now means "paid someone Google approves to sign the certificate." It's not like commercial CAs have the best security track record either.

19 of 299 comments (clear)

  1. Communications Breakdown by Frosty+Piss · · Score: 5, Insightful

    In a move not communicated to its users before hand

    In a move not communicated to you. I have a Google Apps account and received an email about this a few weeks ago.

    Not good for the small folks.

    A cert from BigNameInternetCompany costs next to nothing (although it might just be worth that much as well).

    My guess is that this is mostly driven by the desire to minimize SPAM email servers using the Google network to abuse their victims.

    One suggestion was to allow placing the public keys on Google's side in the user configuration. That would be a heck of a lot better than just dropping users into never never land.

    Again, a cert that is acceptable to Google is so dirt cheap as to be inconsequential to anyone running a server that needs one. So, the only reason can be that those that object are the crusty RMS types â" everything must be free. Google is more concerned with the health of their network, not random non-paying non-customerâ(TM)s not really needy needs.

    I know that sounds harsh, but Google is not a social services agency.

    --
    If you want news from today, you have to come back tomorrow.
    1. Re:Communications Breakdown by morcego · · Score: 4, Insightful

      My guess is that this is mostly driven by the desire to minimize SPAM email servers using the Google network to abuse their victims.

      Ok, hold on a moment. What does POP3 access over SSL has to do with spam ?

      --
      morcego
  2. Cue the self-signed-certs are insecure responses. by Rich0 · · Score: 5, Insightful

    I know this will get 400 replies about how self-signed certificates don't provide complete security.

    I'd buy that argument if Google configured their servers to only accept connections over SSL with trusted certificates, and then refused to connect at all otherwise.

    However, they're still allowing unencrypted connections as well. There isn't a single attack you can mount on an SSL connection with a self-signed certificate that you can't also mount on an unencrypted connection.

    Trusted vs untrusted SSL is a false dichotomy - it neglects the most commonly used option of not using SSL at all, which is completely insecure.

  3. Since you need FCRDNS to send mail these days by Vekseid · · Score: 5, Informative

    That means you have to control at least one IP address.

    It's also really hard to send e-mail without at least one domain of your own.

    Reseller pricing of low-end certificates is about the same cost as a domain. From Namecheap and elsewhere.

    That said, I didn't know about this, and forgot to set up SSL at one of my domains. I didn't much care, but my reaction to this is pretty much "Oh, so that's what Google is bitching about. Okay."

    This is much ado about rather little.

    --
    Adult Role Playing Forum
  4. Re:Google should then provide signed certs by PlusFiveTroll · · Score: 4, Interesting

    Will it work with STARTSSL free personal certs?

    http://www.startssl.com/?app=1

  5. Re:Cue the self-signed-certs are insecure response by Burning1 · · Score: 4, Insightful

    This misses the point that trusting self signed certificates significantly reduces the security of CA signed certificates.

    In order to protect against Man in the Middle and other identity based attacks, Google needs a way of certifying that the remote machine is who they say they are. If the service trusts an self-signed certificate, there's nothing preventing a 3rd party from performing a MITM attack by intercepting your traffic and re-signing it with their own key. The only workaround would be to use a known_hosts based system, similar to SSH. This however increases the costs of administration, and still provides avenues of attack.

    I generally agree with Google's move. I think it's a bad thing to compromise the security of CA certs in order to support self-signed certs.

  6. Re:Google should then provide signed certs by hobarrera · · Score: 4, Informative

    You're right, they're not cheap. Actually they're free.

  7. Re:Google can do what they want. by ThatFunkyMunki · · Score: 5, Informative

    Yes, you can. The only issue is that when you are using the gmail interface to download mail from an external POP3 server, if you want the connection to be encrypted, your SSL certificate cannot be self-signed. This does not affect anything to do with using regular gmail with a regular POP3 client.

    --
    If patriotism is racist, is racism patriotic?
  8. Re:Google can do what they want. by PhunkySchtuff · · Score: 4, Informative

    From my reading of the linked article, this has nothing whatsoever to do with fetching your email from Google over POP3 (or POP3S)

    What this affects is if you are running a mailserver that uses a self-signed certificate, or if you're using another email account on a mailserver that uses a self-signed certificate, then you can no longer tell your gmail account to pull the email in from your second account over POP3S, as it can't verify the certificate.

    You can still have gmail pull in your POP email via the non-secure protocol, or have the mail server administrator pay the $30 or so a year it costs to get a valid certificate signed by a recognissed CA.

    You can still fetch your gmail via POP, using SSL or not, although why anyone would want to use POP if they're given any other option (such as IMAP) is beyond me.

    --
    Specialist Mac support for creative pros, Melbourne
  9. Re:Google should then provide signed certs by IVI4573R · · Score: 4, Informative

    Yes. My dovecot server is configured with a Class 1 from STARTSSL and Gmail is happy with it. You just have to remember to use the "Server Certificate Bundle with CRLs" provided by STARTSSL in the ssl_ca option so that the chain to CA is complete.

    --
    https://www.accountkiller.com/removal-requested
  10. You are wrong. by Kludge · · Score: 5, Insightful

    But its better -- for Google and users -- for Google not support self-signed certs than to support them in a way which provides illusory security, which is what Google was doing before it discontinued support for them.

    That is wrong. Here is the hierarchy.
    1. No security (OK)
    2. Encryption (Better)
    3. Encryption and Authentication (Best)
    Saying that 1 is better than 2 is wrong. After Google connects to a server just once and stores the key, all subsequent connections can be encrypted and verified that they are made to the same server. This fear of encryption without authentication is very ignorant.

    1. Re:You are wrong. by dch24 · · Score: 4, Interesting

      Examples of snooping that lack the ability to do a MITM attack:

      1. Listening to an encrypted wifi session, then breaking the encryption offline

      2. Tapping into undersea fiber (the listening party is going to have a hard enough time exfiltrating the snooped bytes; setting up a "take over" command and associated equipment is prohibitive due to both the technical and political risks)

      3. Listening device inside a government facility. China famously does this for example by using a small office-supply firm to get equipment into a US facility somewhere is Asia; the copy machine has a hard drive like any copy machine and there's nothing suspicious about that, right? And then you find the second, and the third, and the fourth hard drive hidden in places you would never look. The data is exfiltrated only when the machine is replaced as part of a regular service contract.
      Need I go on?

  11. Re:Self-signed certs have bad cost:benefit for Goo by WaffleMonster · · Score: 4, Informative

    Self-signed certs don't provide any security advantage in the Gmail use case over no SSL

    There is an important difference in the use of SSL provides protection against passive easedropping where an attacker may only be able to listen to but not alter the contents of transmitted data.

  12. Re:Cue the self-signed-certs are insecure response by AaronLS · · Score: 5, Insightful

    It is a big deal for a CA to be compromised, I agree on that. However, to use that to then say signed certs are completely useless is not just an exaggeration, it is completely wrong and inaccurate. You sir, are an alarmist

    You threw the baby out with the bathwater... oh the horror. Someone go get the baby back.

    The incidents you describe did not compromise the vast majority of SSL connections. Only a tiny fraction, and only for a limited time span, since the beauty of the CA system is they are able to revoke cert's once discovered to be invalid. Although that can take some time to trickle down since many OS's cache the CA's public key, and is only changed via a system update.

    Self signed certs are far more insecure. At least with CA certs you have a 99.9%+ chance of having a secure connection. With self signed certs, you have 0% guarantee unless you've been communicating public keys out of channel.

    I'm not sure what "job" you are referring to is more difficult. There is a vast wealth of libraries and applications that support SSL, making any "job" involving supporting SSL easy. If that is difficult for you, maybe you should get a different job.

    If you want to take the lead on implementing a new system that provides the same level of security then be my guest. Otherwise all I hear is a bunch of CA bashing non-sense that has no root in statistics.

     

  13. Re:Google should then provide signed certs by msauve · · Score: 4, Insightful

    "you should really get a recognised SSL certificate if you want to offer SSL protected services, otherwise you're only getting half the benefit of SSL connections - you get encryption but not authentication."

    No, it's perfectly reasonable to run your own CA, as an individual or an organization, distribute your CA cert to those using the service, and go merrily on your encrypted and authenticated way.

    Except for Google, who provides no mechanism to associate a private CA cert, or the public side of a self signed one, with a gmail account.

    --
    "National Security is the chief cause of national insecurity." - Celine's First Law
  14. Re:Google should then provide signed certs by SteveFoerster · · Score: 4, Funny

    alligation

    Is that like an allegation that hides beneath the surface of the river, biding its time?

    --
    Space game using normal deck of cards: http://BattleCards.org
  15. Re:Google should then provide signed certs by Albanach · · Score: 4, Insightful

    How does it do that?

    Presumably if you trust self-signed certificates, anyone can launch a MITM attack against your server with a self-signed certificate. Google would trust the self-signed certificate as being your own and then relinquish your login credentials when it attempts to retrieve the mail.

    Now the MITM has to at least get a certificate from a trusted source that will have to, at a minimum, perform some sort of domain validation.

    The increase in security may not be huge, but there's certainly some gain in security from this, and well worth the few dollars that a domain authenticated certificate costs.

  16. Re:Self-signed certs have bad cost:benefit for Goo by Binestar · · Score: 4, Informative

    Sorry, but it isn't. MITM means the man in the middle pretends to be the server when you talk to him, then pretends to be you when the server talks to him. He then stands in the middle, encrypting to you, encrypting to the server, pretending to be both.

    Check out this video for the video that finally caused me to "get" it. https://www.youtube.com/watch?v=3QnD2c4Xovk

    --
    Do you Gentoo!?
  17. Re:Google should then provide signed certs by Score+Whore · · Score: 4, Funny

    You've now posted several times that self signed certs are useless and provide no security, in fact they lower security (from what baseline I must ask?)

    So I would make a little bet with you. I will put up $100,000, my testicles in a jar with a small plaque saying "These balls once belonged to a fool." You will put up $10,000 plus any required travel expenses to carry out the wager. The terms of the wager are that I will provide a client and a server system. The server will have a self signed certificate. You will provide the networking equipment of your choice as well as any device(s) you so desire to place in between my client and server. I will make an SSL connection from my client to my server. Your job is to MITM the connection without my being able to detect said MITMing. Note that I am allowing you to build the entire network connecting my two devices, only requirement being that it be standard ethernet. Additionally you do not get to tamper with my equipment, this is about the security of self signed certificates, not whether you can literally or metaphorically crowbar open my systems and install a keylogger to capture the passphrase of my private SSL keys.

    How about it? You game? I can always use an extra $10,000.