Forgot your password?
typodupeerror
Google Security Technology

Gmail Drops Support for Connecting To Pop3 Servers With Self -Signed Certs 299

Posted by Unknown Lamer
from the security-through-redefinition dept.
DECula writes "In a move not communicated to its users beforehand, Google's Gmail servers were reconfigured to not connect to remote pop3 servers that have self-signed certificates, leaving folks with unencrypted connections, or no service when getting email from other services. Not good for the small folks. One suggestion was to allow placing the public keys on Google's side in the user configuration. That would be a heck of a lot better than just dropping users into never never land." Apparently, "valid" now means "paid someone Google approves to sign the certificate." It's not like commercial CAs have the best security track record either.
This discussion has been archived. No new comments can be posted.

Gmail Drops Support for Connecting To Pop3 Servers With Self -Signed Certs

Comments Filter:
  • alligation

    Is that like an allegation that hides beneath the surface of the river, biding its time?

  • by Score Whore (32328) on Tuesday December 18, 2012 @04:44AM (#42323209)

    You've now posted several times that self signed certs are useless and provide no security, in fact they lower security (from what baseline I must ask?)

    So I would make a little bet with you. I will put up $100,000, my testicles in a jar with a small plaque saying "These balls once belonged to a fool." You will put up $10,000 plus any required travel expenses to carry out the wager. The terms of the wager are that I will provide a client and a server system. The server will have a self signed certificate. You will provide the networking equipment of your choice as well as any device(s) you so desire to place in between my client and server. I will make an SSL connection from my client to my server. Your job is to MITM the connection without my being able to detect said MITMing. Note that I am allowing you to build the entire network connecting my two devices, only requirement being that it be standard ethernet. Additionally you do not get to tamper with my equipment, this is about the security of self signed certificates, not whether you can literally or metaphorically crowbar open my systems and install a keylogger to capture the passphrase of my private SSL keys.

    How about it? You game? I can always use an extra $10,000.

Without life, Biology itself would be impossible.

Working...