Print

Print


After some more research, I would like to correct my earlier statement. 
It seems that at least in Android (K9), choosing "TLS (if available)"
will allow the device to negotiate TLS, *even if the certificate
authority is not in the local keystore*.  In other words, there is no
chain of trust in this mode, so although you are encrypting your
connection, it doesn't stop anyone from performing a "man-in-the-middle"
attack and getting your password/reading your mail.

So, if you have changed your Android phone to use "TLS (if available)",
please change it back to "TLS (always)".  At this point, it should
accept the new certificate.  If it does NOT, please let me know.  I
tested it on Zoey's phone and it is working there.

Jim

On 01/26/2011 10:31 AM, Jim Lawson wrote:
> I borrowed Zoey's phone, and I can confirm that changing to TLS (if
> available) works.  TLS (always) does not.
>
> Speaking as someone with a passable knowledge of SSL/TLS, and the one
> who configured the mail servers at UVM, this makes no sense.  I think
> it is a client bug.
>
> However, it does seem to work.  It's not a great security practice,
> but fortunately UVM's IMAP servers won't let you log in with a
> password sent in the clear, so it is safe to do with our servers.  I
> wouldn't recommend it with other IMAP servers, though, unless the
> admin of the other server tells you it's OK, or you don't mind if
> someone can sniff your password.
>


-- 
Jim Lawson
Systems Architecture & Administration
Enterprise Technology Services
University of Vermont
Burlington, VT USA