Vodafone/Ihug POP server cert has expired

Discussion in 'NZ Computing' started by Lawrence D'Oliveiro, Sep 18, 2009.

  1. Starting at noon, my ten-minutely fetchmail crontask is now failing with

    fetchmail: Server certificate verification error: certificate has
    expired

    This is connecting to pop3.ihug.co.nz. I just tried a keyword search for
    "pop3" at vodafone.co.nz, but they don't seem to have any page showing what
    else to use, or indeed any list of recommended configuration settings at
    all.

    Yeah I know, I could turn off SSL/TLS in my fetchmail settings. Just what
    any security n00b would do...
     
    Lawrence D'Oliveiro, Sep 18, 2009
    #1
    1. Advertising

  2. On Fri, 18 Sep 2009 12:19:15 +1200, Lawrence D'Oliveiro
    <_zealand> wrote:

    >Starting at noon, my ten-minutely fetchmail crontask is now failing with
    >
    > fetchmail: Server certificate verification error: certificate has
    > expired
    >
    >This is connecting to pop3.ihug.co.nz. I just tried a keyword search for
    >"pop3" at vodafone.co.nz, but they don't seem to have any page showing what
    >else to use, or indeed any list of recommended configuration settings at
    >all.
    >
    >Yeah I know, I could turn off SSL/TLS in my fetchmail settings. Just what
    >any security n00b would do...


    Just what is so insecure about connecting unencrypted to your own
    ISP's mail server? Unless you think your ISP is running a network
    where their DNS has been hacked, it should be just fine.
     
    Stephen Worthington, Sep 18, 2009
    #2
    1. Advertising

  3. In message <>, Stephen Worthington
    wrote:

    > Just what is so insecure about connecting unencrypted to your own
    > ISP's mail server?


    Yeah, there's a point, considering it's hardly the weakest point in the
    chain...
     
    Lawrence D'Oliveiro, Sep 18, 2009
    #3
  4. Lawrence D'Oliveiro

    AD. Guest

    On Sep 18, 9:20 pm, Stephen Worthington
    <34.nz56.remove_numbers> wrote:
    > Just what is so insecure about connecting unencrypted to your own
    > ISP's mail server?  Unless you think your ISP is running a network
    > where their DNS has been hacked, it should be just fine.


    Unless you're roaming and using some random public connection
    somewhere. But yeah, it wouldn't normally bother me much either.

    --
    Cheers
    Anton
     
    AD., Sep 18, 2009
    #4
  5. In message <h8ujm4$rv$>, Lawrence D'Oliveiro wrote:

    > Starting at noon, my ten-minutely fetchmail crontask is now failing with
    >
    > fetchmail: Server certificate verification error: certificate has
    > expired


    I figured it out. I'm not actually asking fetchmail to use SSL/TLS: it's
    automatically doing so because the POP server advertises that it supports
    STLS.

    There's no explicit option in fetchmail to turn this off, but if I tell it
    to use SSL specifically, this causes it to skip the TLS negotiation and I
    don't get the certificate expiry warning any more.

    And it is just a warning; I am still getting mail.
     
    Lawrence D'Oliveiro, Sep 19, 2009
    #5
  6. Lawrence D'Oliveiro

    Carnations Guest

    On Fri, 18 Sep 2009 21:20:45 +1200, Stephen Worthington wrote:

    > Just what is so insecure about connecting unencrypted to your own ISP's
    > mail server? Unless you think your ISP is running a network where their
    > DNS has been hacked, it should be just fine.


    You should always treat all networks as if they were compromised (packet sniffing etc) in some way
    and use the most secure connections available to you.


    --
    "Filtering the Internet is like trying to boil the ocean"
     
    Carnations, Sep 19, 2009
    #6
  7. In message <>, Carnations wrote:

    > You should always treat all networks as if they were compromised (packet
    > sniffing etc) in some way and use the most secure connections available to
    > you.


    Before you can formulate a practicable security plan, you have to know what
    sort of threats exactly you think you're guarding against.
     
    Lawrence D'Oliveiro, Sep 19, 2009
    #7
  8. On Sat, 19 Sep 2009 04:31:01 +0000 (UTC), Carnations
    <> wrote:

    >On Fri, 18 Sep 2009 21:20:45 +1200, Stephen Worthington wrote:
    >
    >> Just what is so insecure about connecting unencrypted to your own ISP's
    >> mail server? Unless you think your ISP is running a network where their
    >> DNS has been hacked, it should be just fine.

    >
    >You should always treat all networks as if they were compromised (packet sniffing etc) in some way
    >and use the most secure connections available to you.


    If your ISP's network is so compromised that someone else is doing
    packet sniffing on it, then surely they would have access to the POP3
    server already and have access to your email. And your ISP has no
    trouble accessing your email on their own server. I really think that
    encrypting a connection to your ISP's POP3 server is overkill (unless
    you are outside the ISP's network, of course). If you want to secure
    your emails, they need to be encrypted themselves, at source.
     
    Stephen Worthington, Sep 19, 2009
    #8
  9. Lawrence D'Oliveiro

    Carnations Guest

    On Sat, 19 Sep 2009 22:32:53 +1200, Stephen Worthington wrote:

    > I really think that encrypting
    > a connection to your ISP's POP3 server is overkill (unless you are
    > outside the ISP's network, of course). If you want to secure your
    > emails, they need to be encrypted themselves, at source.


    I hadn't referred to where you're connecting from. Aren't Xtra's email servers now outsourced to Yahoo?

    And yes - I agree - confidential emails should be encrypted from source - as should their replies.


    --
    "Filtering the Internet is like trying to boil the ocean"
     
    Carnations, Sep 19, 2009
    #9
  10. In message <>, Carnations wrote:

    > And yes - I agree - confidential emails should be encrypted from source -
    > as should their replies.


    Which would be better--public-key or secret-key encryption?
     
    Lawrence D'Oliveiro, Sep 20, 2009
    #10
  11. In message <h91g2d$mdj$>, Lawrence D'Oliveiro wrote:

    > There's no explicit option in fetchmail to turn this off, but if I tell it
    > to use SSL specifically, this causes it to skip the TLS negotiation and I
    > don't get the certificate expiry warning any more.


    Nope, this doesn't work. So now I'm doing

    fetchmail -sf ~/etc/fetchmailrc 2>&1 | grep -v "certificate has expired"

    to ignore the warning.
     
    Lawrence D'Oliveiro, Sep 20, 2009
    #11
  12. On Sun, 20 Sep 2009 12:15:22 +1200, Lawrence D'Oliveiro
    <_zealand> wrote:

    >In message <>, Carnations wrote:
    >
    >> And yes - I agree - confidential emails should be encrypted from source -
    >> as should their replies.

    >
    >Which would be better--public-key or secret-key encryption?


    Public key is much easier, as you do not have to have some secret way
    of sending a key. AFAIK, they are both equally good encryptions.
     
    Stephen Worthington, Sep 20, 2009
    #12
  13. On Sun, 20 Sep 2009 12:29:48 +1200, Lawrence D'Oliveiro
    <_zealand> wrote:

    >In message <h91g2d$mdj$>, Lawrence D'Oliveiro wrote:
    >
    >> There's no explicit option in fetchmail to turn this off, but if I tell it
    >> to use SSL specifically, this causes it to skip the TLS negotiation and I
    >> don't get the certificate expiry warning any more.

    >
    >Nope, this doesn't work. So now I'm doing
    >
    > fetchmail -sf ~/etc/fetchmailrc 2>&1 | grep -v "certificate has expired"
    >
    >to ignore the warning.


    Maybe you should get the source and do a patch to add an option, then
    send it back to the developers.
     
    Stephen Worthington, Sep 20, 2009
    #13
  14. In message <>, Stephen Worthington
    wrote:

    > On Sun, 20 Sep 2009 12:15:22 +1200, Lawrence D'Oliveiro
    > <_zealand> wrote:
    >
    >>In message <>, Carnations wrote:
    >>
    >>> And yes - I agree - confidential emails should be encrypted from source
    >>> - as should their replies.

    >>
    >>Which would be better--public-key or secret-key encryption?

    >
    > Public key is much easier, as you do not have to have some secret way
    > of sending a key.


    But you still have the problem of trusting the public key.

    > AFAIK, they are both equally good encryptions.


    It's not either/or. :)
     
    Lawrence D'Oliveiro, Sep 20, 2009
    #14
  15. In message <>, Stephen Worthington
    wrote:

    > Maybe you should get the source and do a patch to add an option, then
    > send it back to the developers.


    Yeah, I thought about that. But it turns out this is a known issue. From the
    FAQ:

    Some servers advertise STLS (POP3) or STARTTLS (IMAP), and fetchmail
    will automatically attempt TLS negotiation if SSL was enabled at
    compile time. This can however cause problems if the upstream didn't
    configure his certificates properly.

    In order to prevent fetchmail from trying TLS (STLS, STARTTLS)
    negotiation, add this option:

    sslproto ssl23

    This restricts fetchmail's SSL/TLS protocol choice from the default
    "SSLv2, SSLv3, TLSv1" to the two SSL variants, disabling TLSv1. Note
    however that this causes the connection to be unencrypted unless an
    encrypting "plugin" is used or SSL is requested explicitly.

    And yes, that does work.
     
    Lawrence D'Oliveiro, Sep 20, 2009
    #15
  16. On Sun, 20 Sep 2009 14:17:44 +1200, Lawrence D'Oliveiro
    <_zealand> wrote:

    >In message <>, Stephen Worthington
    >wrote:
    >
    >> On Sun, 20 Sep 2009 12:15:22 +1200, Lawrence D'Oliveiro
    >> <_zealand> wrote:
    >>
    >>>In message <>, Carnations wrote:
    >>>
    >>>> And yes - I agree - confidential emails should be encrypted from source
    >>>> - as should their replies.
    >>>
    >>>Which would be better--public-key or secret-key encryption?

    >>
    >> Public key is much easier, as you do not have to have some secret way
    >> of sending a key.

    >
    >But you still have the problem of trusting the public key.


    In the same way that you have a problem trusting a private key that is
    sent to you somehow. Only it is much easier to get the key. You can
    freely publish your public key on your web page with no loss of
    security. If the person you want to email is the owner of that web
    page and that is the only way you know him, then you can trust his
    public key from there as much as any other way he might get you a key
    (unless his web server has been hacked). There is always a problem
    trusting the initial setup of secure communications. At some point,
    you just have to decide to trust something and go ahead and see how it
    works out.

    >> AFAIK, they are both equally good encryptions.

    >
    >It's not either/or. :)


    Well, yes, you could use both at once if you are paranoid.
     
    Stephen Worthington, Sep 20, 2009
    #16
  17. In message <>, Stephen Worthington
    wrote:

    > On Sun, 20 Sep 2009 14:17:44 +1200, Lawrence D'Oliveiro
    > <_zealand> wrote:
    >
    >>But you still have the problem of trusting the public key.

    >
    > In the same way that you have a problem trusting a private key that is
    > sent to you somehow.


    Private keys must NEVER be disclosed.
     
    Lawrence D'Oliveiro, Sep 20, 2009
    #17
  18. Lawrence D'Oliveiro

    Carnations Guest

    On Sun, 20 Sep 2009 12:15:22 +1200, Lawrence D'Oliveiro wrote:

    > In message <>, Carnations wrote:
    >
    >> And yes - I agree - confidential emails should be encrypted from source
    >> - as should their replies.

    >
    > Which would be better--public-key or secret-key encryption?


    Surely you should use encryption that *only* the recipient can decipher.

    How you chose to do that is the concern only of the two of you.

    If you make a "public" key available either to everyone, or to one person only (using whatever delivery
    method you chose) that requires your undisclosed private key in order to decrypt the text, then only you
    will be able to read the encoded message.

    ....And the longer the key the better.


    --
    "Filtering the Internet is like trying to boil the ocean"
     
    Carnations, Sep 20, 2009
    #18
  19. In message <>, Carnations wrote:

    > On Sun, 20 Sep 2009 12:15:22 +1200, Lawrence D'Oliveiro wrote:
    >
    >> In message <>, Carnations wrote:
    >>
    >>> And yes - I agree - confidential emails should be encrypted from source
    >>> - as should their replies.

    >>
    >> Which would be better--public-key or secret-key encryption?

    >
    > Surely you should use encryption that *only* the recipient can decipher.


    Not necessarily. Digital signatures can be decrypted by anybody.

    > If you make a "public" key available either to everyone ...


    But a public key still has to be distributed in a trusted fashion.
     
    Lawrence D'Oliveiro, Sep 20, 2009
    #19
  20. Lawrence D'Oliveiro

    Carnations Guest

    On Sun, 20 Sep 2009 22:41:11 +1200, Lawrence D'Oliveiro wrote:

    >> If you make a "public" key available either to everyone ...

    >
    > But a public key still has to be distributed in a trusted fashion.


    The whole point of the "public" key is that it is available to all and sundry for use by all and sundry for
    sending a message exclusively to you in a way that nobody else can read without spending a very
    substantial quantity of resources to break your private key - certainly not easily read.


    --
    "Filtering the Internet is like trying to boil the ocean"
     
    Carnations, Sep 20, 2009
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Dave Doe
    Replies:
    5
    Views:
    529
    Ralph Fox
    Apr 11, 2008
  2. Katipo
    Replies:
    2
    Views:
    483
    Geopelia
    Apr 10, 2008
  3. Miche

    Re: Vodafone Prepay Expired date.

    Miche, Sep 10, 2008, in forum: NZ Computing
    Replies:
    3
    Views:
    426
    Miche
    Sep 11, 2008
  4. EMB

    Re: Vodafone Prepay Expired date.

    EMB, Sep 10, 2008, in forum: NZ Computing
    Replies:
    0
    Views:
    443
  5. Craig Shore

    Vodafone (ihug) news server?

    Craig Shore, Feb 2, 2009, in forum: NZ Computing
    Replies:
    1
    Views:
    1,250
    Ray Greene
    Feb 2, 2009
Loading...

Share This Page