Re: [Gmail-Users] Re: Server returned error "SSL error: self signed certificate in certificate chain"

[Kenneth Ayers]

On Thu, Dec 13, 2012 at 2:01 PM, <michael....@gmail.com> wrote:

Yeah, according to this page: http://support.google.com/mail/bin/answer.py?hl=en&answer=21291&ctx=gmail#strictSSL they changed the policy on the 12th.

I really think they should provide an option to disable this strict checking.

From the page you provided:

Alternatively, you can disable using SSL in Gmail by unchecking ‘Always use a secure connection (SSL) when retrieving mail’on theAccounts and Import tab in your Mail settings. However, this means that your password and email will not be protected while sent over the Internet, so we don’t recommend disabling this.

 

[muhammad shoaib muhammad ishtiaq]

I have the same problem too, what i do solve this problem..

 

Regards,

Muhammad Shoaib

--
You received this message because you are subscribed to the Google Groups "Gmail-Users" group.

To post to this group, send email to gmail...@googlegroups.com.
To unsubscribe from this group, send email to gmail-users...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/gmail-users?hl=en.

[Marko Vukovic]

Google has decided to enforce strict SSL as from December 2012.

See http://support.google.com/mail/bin/answer.py?hl=en&answer=21291

You will have to either request that your provider install a valid cert, or turn off 'always use SSL'.

--

Marko

[Marko Vuković]

It is not up to Google to support POP3 servers using self-signed certificates. They have made the decision, quite rightly (IMHO) to use strict SSL. 

You should ask your provider why they are not using a valid CA signed certificate. 

--

Marko

On 17 Dec 2012, at 15:19, Talha Karahan <karaha...@gmail.com> wrote:

I have the same problem. Google says if you are facing problems with the new Strict SSL policy, uncheck the SSL box. But when I uncheck the SSL box,

I cannot connect to my e-mail server because server wants an SSL connection. It says: "Connection timed out: There may be a problem with the settings you added. Please contact your other email provider to verify the correct server name and port."

Google must solve this. This is a huge problem...

16 Aralık 2012 Pazar 17:04:23 UTC+2 tarihinde Piotr Balwierz yazdı:

I am running a small non-commercial server for a couple dozen of people.
Google right now adds me more work, hassle, and probably tells me to spend my money on certificates.

Or is it simply an action against 3rd party servers and google wants users to use exclusively gmail?

--
You received this message because you are subscribed to the Google Groups "Gmail-Users" group.

To view this discussion on the web visit https://groups.google.com/d/msg/gmail-users/-/JQCHX8lHLu8J.

[Zack (Doc)]

Piotr,

You are wrong.  It is absolutely safer for you, and your customers.  Self-signed certs are more dangerous than not securing at all.  There's a reason every browser out there gives you numerous warnings about accepting them.  By using them you're training your staff and customers to accept insecure security.  This is more dangerous than just leaving the information unsecured since it teaches trust in something that shouldn't be trusted, and will be exploited by your attackers.

Just a cursory look and I found signed certs for only about $100 a month.  If you shop, or set up your own trusted cert, it could be even cheaper.

And you can just turn off SSL to get past Google's new requirement.

On Mon, Dec 17, 2012 at 7:10 PM, Piotr Balwierz <balw...@gmail.com> wrote:

@vukko(Marko):
I think you don't understand here something: We ARE our own providers. We maintain our own servers. And having a CA signed certificate means paying $$ €€ ¥¥ each year to some company and it is not safer for us at all and adds more cost and effort.

On Tuesday, 18 December 2012 00:36:12 UTC+1, vukko wrote:

It is not up to Google to support POP3 servers using self-signed certificates. They have made the decision, quite rightly (IMHO) to use strict SSL. 

You should ask your provider why they are not using a valid CA signed certificate. 

--

Marko

--

You received this message because you are subscribed to the Google Groups "Gmail-Users" group.

To view this discussion on the web visit https://groups.google.com/d/msg/gmail-users/-/eXlhVR_5D_oJ.

[Marko Vukovic]

Piotr 

I was not addressing YOU. I was addressing the OP.

As Doc points out, there is a very good reason why client software will warn about self-signed certs. Seeing as you maintain your own Internet-facing systems, you may wish to look into that (hint: man-in-the-middle attack). Making sweeping statements such as 'it is not safer for us at all' is entirely incorrect.

Why would you expect Google to pay for, and provide you (for free) with strict SSL encryption on their systems, but you don't want to spend anything to secure your own systems.

You can get a GoDaddy cert for $12.99/year, that's not a lot of money.

At the end of the day, a company like Google needs to use highest levels of security to protect your information and their reputation. Arguing about the cost and effort as motivation for why they should support self-signed certs is pointless.

As admin of your own system, you will need to either a) purchase a valid cert, b) turn off SSL or c) deliver the mail via alternate method eg. forwarding from your server(s).

On Tue, Dec 18, 2012 at 2:10 AM, Piotr Balwierz <balw...@gmail.com> wrote:

@vukko(Marko):
I think you don't understand here something: We ARE our own providers. We maintain our own servers. And having a CA signed certificate means paying $$ €€ ¥¥ each year to some company and it is not safer for us at all and adds more cost and effort.

On Tuesday, 18 December 2012 00:36:12 UTC+1, vukko wrote:

It is not up to Google to support POP3 servers using self-signed certificates. They have made the decision, quite rightly (IMHO) to use strict SSL. 

You should ask your provider why they are not using a valid CA signed certificate. 

--

Marko

--

You received this message because you are subscribed to the Google Groups "Gmail-Users" group.

To view this discussion on the web visit https://groups.google.com/d/msg/gmail-users/-/eXlhVR_5D_oJ.

To post to this group, send email to gmail...@googlegroups.com.
To unsubscribe from this group, send email to gmail-users...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/gmail-users?hl=en.

--
Marko

[Marko Vukovic]

On Wed, Dec 19, 2012 at 3:13 PM, <michael....@gmail.com> wrote:

First of all, are you really sure the certificates signed by the so called "trusted" CAs are more secure for you?  Do you think a malicious party wouldn't be able to get a certificate like that?  Consider that it has happened before.

Second, SSL gives you encryption apart from verification (which IMO doesn't work anyway), so even if you have no verification with self-signed certs you still have encryption.  This is all about levels of security.

Indeed you still have encryption but the problem is that a man-in-the-middle attack is easier to do when the server is using a self-signed certificate.

 

Finally, an even more secure option than certs signed by "trusted" CAs would be to allow users to manually configure certificates to trust (i.e. more or less like SSH works).  There was an interesting discussion about this on hacker news recently:  http://news.ycombinator.com/item?id=4920088

Interesting, thanks for the link.

--

Marko 

[Zack (Doc)]

Apples and oranges.  SSL is all about the verification and less about the encryption.  SSH is all about the encryption, and barely about the verification.

SSH can only be verified on a second and subsequent connection, and you're only comparing it against who they said they were the first time.  Since mail transfers are often initial conversations, this wouldn't work.  Sure, it'd encrypt it just fine, but no way to tell you're talking to whom you think you are.

Yes bad guys have been able to occasionally get a trusted cert, but the point of a signed cert is that the signer can revoke it.  If/When the bad guys get a cert from a trusted provider, they can revoke it, and it's useless.  A self-signed cert cannot be revoked because you signed it yourself.

A more secure option, if you won't want to pay the GoDaddy price (cheapest I've heard so far) is to set up your own PKI server (probably free versions) and sign your cert that way.  It creates a trust chain that does not begin and end with a single server.  This way, your family just adds the PKI server as a trusted source, and all your certs are good.  Also, your trust chain shows up on your cert, so Google could follow it to your other server and be trusted.

Lastly, as several have said... you can just turn off SSL on your retrieve, and/or have your server actually forward them, rather than retrieving them.  This has the added benefit of having the files there instantly; rather than waiting for a collection time.

On Wed, Dec 19, 2012 at 8:13 AM, <michael....@gmail.com> wrote:

On Tuesday, December 18, 2012 4:23:32 AM UTC, Zack Tennant wrote:

You are wrong.  It is absolutely safer for you, and your customers.  Self-signed certs are more dangerous than not securing at all.  There's a reason every browser out there gives you numerous warnings about accepting them.  By using them you're training your staff and customers to accept insecure security.  This is more dangerous than just leaving the information unsecured since it teaches trust in something that shouldn't be trusted, and will be exploited by your attackers.

First of all, are you really sure the certificates signed by the so called "trusted" CAs are more secure for you?  Do you think a malicious party wouldn't be able to get a certificate like that?  Consider that it has happened before.

Second, SSL gives you encryption apart from verification (which IMO doesn't work anyway), so even if you have no verification with self-signed certs you still have encryption.  This is all about levels of security.

Finally, an even more secure option than certs signed by "trusted" CAs would be to allow users to manually configure certificates to trust (i.e. more or less like SSH works).  There was an interesting discussion about this on hacker news recently:  http://news.ycombinator.com/item?id=4920088

--
You received this message because you are subscribed to the Google Groups "Gmail-Users" group.

To post to this group, send email to gmail...@googlegroups.com.
To unsubscribe from this group, send email to gmail-users...@googlegroups.com.

Visit this group at http://groups.google.com/group/gmail-users?hl=en.

For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Michael Gliwinski]

On 20 December 2012 01:40, Jez <jlai...@rebel-it.com.au> wrote:

> On Thursday, December 20, 2012 11:56:15 AM UTC+11, Zack Tennant wrote:
>>
>> Apples and oranges. SSL is all about the verification and less about the
>> encryption. SSH is all about the encryption, and barely about the
>> verification.
>
>

> Not really. You can't assure encryption unless you can assert
> authentication of the end-point. In both cases, authentication is required
> to prevent man-in-the-middle attacks.
>
> If SSL was not about encryption, it would be widely deployed with NULL
> encryption, but it's not.

Exactly!

>> SSH can only be verified on a second and subsequent connection,
>
>

> Unless the first connection was out-of-band (via a different and trusted
> connection), or the key thumbprint was verified out-of-band, or if the
> previously-generated server key was put there at build time, or etc. Just
> because some people don't care much about SSH authentication, doesn't mean
> nobody does.

Exactly, again. Whenever I build a server I either ensure it has a
proper key or if it's new, I copy the key and ensure it's known to
other servers. Unknown keys are refused.

>> A more secure option, if you won't want to pay the GoDaddy price (cheapest
>> I've heard so far)

It's not really about the price, I just think we should have more options.

>> is to set up your own PKI server (probably free versions)
>> and sign your cert that way. It creates a trust chain that does not begin
>> and end with a single server. This way, your family just adds the PKI
>> server as a trusted source, and all your certs are good. Also, your trust
>> chain shows up on your cert, so Google could follow it to your other server
>> and be trusted.
>
>

> I don't think this would work. You still end up with a certificate trust
> chain containing a self-signed cert. The term "certificate chain" is shown
> in the error message, rather than just "certificate". I suspect the Gmail
> POP client has the same list of trusted CAs as in the Chrome browser.

>
>>
>> Lastly, as several have said... you can just turn off SSL on your
>> retrieve,
>
>

> I think the point of using encryption is to protect the POP password.
> Forwarding the mail to the Gmail servers avoids this problem. Turning off
> SSL does not.

Yes, protecting POP/IMAP password, and also protecting mail content
while in transit.

Granted, blindly accepting any self-signed certificate puts you at
risk of MITM but if you turn off encryption entirely, your password
and mail are completely open even to passive listeners.