SSL fingerprint verification
Sebastian Spaeth
Sebastian at SSpaeth.de
Tue Aug 30 22:09:01 BST 2011
On Tue, 30 Aug 2011 22:36:44 +0200, Johannes Kastl <mail at ojkastl.de> wrote:
> When opening a website using https://, the browser checks if the
> certificate is valid. When using POP/IMAP/SMTP over SSL, the program
> (Thunderbird, Seamonkey, ...) checks the certificate and throws an
> error, when the certificate is wrong/no longer valid/...
>
> Why does offlineimap need the user to configure a sslcacertfile or a
> fingerprint?
Your webbrowser can verify that a certificate is valid because it has
built in a list of CA Certificates that it uses for verification. This
works unless (see today's news) some CA is misled into signing fake
certificates. If some CA cert expires or is added, you need to update
your, say Firefox, to be able to use it. You can also only verify those
https sites which have been signed
by the few selected CAs that are in your webbrowser list. If your server
has been signed by say cacert.org or even a self-signed certificate, you
are mostly out of luck.
OfflineImap has no such list of CA Certificates built-in, nor does it
want to get into the business of bundling them (or we would need to
update the software every time a rogue certificate has been found). This
is why there is a CA Certfile setting to point offlineimap to the
relevant CA certs (either installed system wide or locally). There is no
standard as to where to install the Certs system wide...
Without relying on CA Certs (again, see the fake *.google.com cert that
appeared today), the second thing is to check the server certificate and
check its fingerprint (effectively the hash value of the SSL cert
content). If this hash value does not change we can be pretty sure that
the server cert hasn't changed and we connect to the same server. If the
hash changes, we might be connecting to a man-in-the-middle server.
Hope I was making sense, I am no security expert by far.
Sebastian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/offlineimap-project/attachments/20110830/fe2df096/attachment-0001.sig>
More information about the OfflineIMAP-project
mailing list