Mail can't verify the identity of "pop.gmail.com"
Jamie Kahn Genet
"pop.gmail.com"" messages in Mail in OSX 10.5.8. Her POP and SMTP
settings seem fine from asking her over the phone, and all is well if
she selects "Connect" and uses the certificate Mail takes issue with,
regardless.
Also apparently the message is only intermittent, not happening every
time she connects to the POP server.
When she okays use of a certificate by selecting "Connect" anyway, is
OSX then allowing future usage of the certificate for a set time? I seem
to recall when I last had a dodgy certificate in OSX that I had to ok
use every single time. Has that changed? Or is my memory faulty?
I ask as I'm trying to work out why she's only getting that message
intermittently, as it's either 10.5.8 being unable to authenticate the
certificate, the certificate itself being out of date (seems unlikely -
this is Google after all), or possibly a connection issue affecting
connecting to the POIP server during authentication.
TIA,
Jamie Kahn Genet
--
If you're not part of the solution, you're part of the precipitate.
David Stone
jam...@wizardling.geek.nz (Jamie Kahn Genet) wrote:
> Hey guys, I've a client getting "Mail can't verify the identity of
> "pop.gmail.com"" messages in Mail in OSX 10.5.8. Her POP and SMTP
> settings seem fine from asking her over the phone, and all is well if
> she selects "Connect" and uses the certificate Mail takes issue with,
> regardless.
>
> Also apparently the message is only intermittent, not happening every
> time she connects to the POP server.
Does this occur immediately after waking from sleep? I had problems
on an older system with this routinely. Newer hardware seems not to
have the same problem (G3 -> G5).
> When she okays use of a certificate by selecting "Connect" anyway, is
> OSX then allowing future usage of the certificate for a set time? I seem
> to recall when I last had a dodgy certificate in OSX that I had to ok
> use every single time. Has that changed? Or is my memory faulty?
There was recently a problem with fake Google/Gmail certificates.
Here's the last in a series of articles on the issue (watch the wrap):
<http://arstechnica.com/apple/news/2011/09/safari-users-still-susceptible
-to-attacks-using-fake-diginotar-certs.ars>
Jamie Kahn Genet
> In article <1k74oci.6jratt63tsbjN%jam...@wizardling.geek.nz>,
> jam...@wizardling.geek.nz (Jamie Kahn Genet) wrote:
>
> > Hey guys, I've a client getting "Mail can't verify the identity of
> > "pop.gmail.com"" messages in Mail in OSX 10.5.8. Her POP and SMTP
> > settings seem fine from asking her over the phone, and all is well if
> > she selects "Connect" and uses the certificate Mail takes issue with,
> > regardless.
> >
> > Also apparently the message is only intermittent, not happening every
> > time she connects to the POP server.
>
> Does this occur immediately after waking from sleep? I had problems
> on an older system with this routinely. Newer hardware seems not to
> have the same problem (G3 -> G5).
G'day David. I don't know about happening after sleep, but I shall
inquire, thanks. Though they're on a far more recent Intel iMac.
> > When she okays use of a certificate by selecting "Connect" anyway, is
> > OSX then allowing future usage of the certificate for a set time? I seem
> > to recall when I last had a dodgy certificate in OSX that I had to ok
> > use every single time. Has that changed? Or is my memory faulty?
>
> There was recently a problem with fake Google/Gmail certificates.
> Here's the last in a series of articles on the issue (watch the wrap):
> <http://arstechnica.com/apple/news/2011/09/safari-users-still-susceptible
> -to-attacks-using-fake-diginotar-certs.ars>
Yeah, I saw that, and wondered if it could somehow be related, but I've
no idea how.
Kevin McMurtrie
jam...@wizardling.geek.nz (Jamie Kahn Genet) wrote:
That's a man-in-the-middle attack or a bug in 10.5 that randomly says
certificates are invalid. A man-in-the-middle attack is where an
attacker intercepts traffic between two points. Public digital
signature certificates prevent the attacker from producing a convincing
forgery to the victim. Traffic will be still encrypted between the
attacker and the victim, but the attacker will not be able to produce
the correct digital signature.
Manually setting a certificate to "Trust" is only for personal digital
signatures while in a protected network. It should never be done for a
public certificate or while on a public network. You can work around
the 10.5 bug by simply trying the connection again.
I recommend updating to 10.6.8 to fix the bug, deleting any custom trust
settings, and deleting DigiNotar certificates. (DigiNotar was hacked
and they've been slow to clean up fakes)
--
I will not see posts from Google because I must filter them as spam
Jamie Kahn Genet
I'm aware of that type of attack, but it seems unlikely unless there's
been a DNS security breech as well, as the user is not in a position
where her transmissions could be intercepted before the reaching her
ISP.
Also I doubt they should have to update to 10.6 because of this, but
I'll keep it in mind if it looks like the only way.
Kevin McMurtrie
requires intercepting the traffic. That can be as simple as spoofing a
WiFi access point or hacking a single server in a data center to perform
BGP hijacking. I got certificate failures regularly while traveling in
Asia, especially if data passed through China. Sometimes VPN got
through unaltered but there were a couple of places where no certs could
be verified.
Jamie Kahn Genet
friend, who's WiFi simply isn't in a position to be compromised (they
live in the country where someone would have to drive onto their farm to
reach their WiFi's signal), is running a Mac, and seems to call me every
time anything asks for their admin password, heh, so the chances of a
compromised computer seem very slim.
Thus unless their ISP's DNS is hacked, or DNS further upstream, I don't
see how they could be subject to a man-in-middle attack.