Hi there, As far as I can tell, Evolution uses a default set of SSL certificate authorities.
However, I've been told that the Certificate Authorities system is fundamentally flawed, in the sense that CAs don't communicate with each other, any of them can sign for any domain name, and I've been told some CAs are quite un-trustworthy. This is a scary prospect. Now, I never had to "accept" the certificate for Google to use GMail through IMAP. To be honest, I would have expected some sort of prompt that says, "Hey, this is the first time you're connecting to that host... are you certain that you are on a trusted network connection and the host you are connecting to is really the one it claims to be?"... My question is thus the following: if the user is not the one manually vetting the certificates, what happens when someone tries to do a man-in-the-middle attack (ie: you're on an untrusted wifi, someone tries to impersonate the GMail IMAP servers and provide a valid, signed certificate that is different from Google's)? Will the user get (I hope) a big scary "SOMETHING IS VERY WRONG" warning like SSH does when server fingerprints don't match? I'm of course not a security expert, but would like some reassurance that Evolution is actually safe against this scenario. Thanks _______________________________________________ evolution-list mailing list evolution-list@gnome.org To change your list options or unsubscribe, visit ... https://mail.gnome.org/mailman/listinfo/evolution-list
