-3

I am trying to decide on a new e-mail service. I use fetchmail to fetch my e-mail and process it using procmail. Some of the email services (etc. gmx.com, outlook.com, etc) do not seem to require the certificate and the fingerprint checked. Some others, such as inbox.com or gmail.com do. I am wondering if there is a security hole in going from the latter kind to the former. What is the value of the certificate checking? Sorry that i am not a cryptography guy but I would not like to have a security hole than needed.

Thanks!

user3236841
  • 1,088
  • 1
  • 15
  • 39

1 Answers1

0

Some of the email services ... do not seem to require the certificate and the fingerprint checked. Some others ... do. ... What is the value of the certificate checking?

The server certificate is checked to make sure that you are talking to the expected server and not some attacker doing a man in the middle attack. With a successful man in the middle attack it is possible to read and even modify the transferred data and neither client nor server will notice.

Checking the servers certificate (either as certificate or fingerprint) is done by the client and cannot be enforced by the server. Thus it is fully up to you if you do a proper check and verify that you are talking to the expected server or if you omit certificate validation and are thus open to man in the middle attacks.

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • Thanks, is there a benefit to have ssl certificate checking in addition to ssl fingerprint checking? – user3236841 Sep 30 '16 at 22:20
  • @user3236841: not really, it makes more sense to use either fingerprint or check against a trusted CA. The first case is used to check against a specific certificate and needs to be updated whenever the certificates public key changed. The latter will accept a new certificate for the host as long as it is signed by a trusted CA and has the expected subject. – Steffen Ullrich Oct 01 '16 at 05:23