The Deliverator – Wannabee

So open minded, my thoughts fell out…

SSL, oh how I love thee…

Posted by Deliverator on September 19th, 2005

So, I have been playing around some more with the Qmail email client on my Jornada, as mentioned in yesterdays post. All in all, I really like it. I dont like many of the programs default options, but once configured, it makes a surprisingly robust email client. It is close to Outlook Express in its level of functionality, although it doesnt really hold a candle to Thunderbird, my current desktop email client of choice.

I took a look at Speakeasys rather sketchy documentation on enabling secure authentication and mail transport, but didnt have much luck getting Qmail to work securely. After some research, I found that the fault is not Qmails, but rather the expiration of several root certificate authorities from the Jornadas schannel dll file. Microsoft has never offered an updated list of certificate authorities to older Windows CE users, although users of desktop versions of Windows may have noticed a root certificates update when visiting Windows Update. An enterprising programmer has offered an updated version of this file on the Handango site, which I may purchase at some time if I get desperate enough. Another alternative that should work is to manually download the certificate. Qmail has the option to work with a manually downloaded certificate. This is a very nice option, as many universities and larger institutions issue their own security certificates, rather than pay a certificate authority. The one downside is that with most institutions that use a certificate authority, their ssl certificate expires once a year. Given the number of email accounts I access, this likely means I will have to manually download and convert certificates at least a few times a year.

I have never been a big fan of the whole ssl security model. Too many people trust that when they see that yellow lock in the corner of their browser that they are secure. SSL man in the middle attacks are still widely successful, as users do not check the source of a certificate, or even if presented with an SSL related error message, often just click the accept anyways option, as they dont understand in the slightest how ssl is supposed to operate. It is also very easy to get a certificate from one of the trusted security certificate companies. About the only thing that nice little lock really tells you these days is that someone forked over some dough to one of the certificate authorities…