warnings about invalid mail server certificates

Support topics for the mail/news/chat client

warnings about invalid mail server certificates

Post by Robert2 » 2016-12-07, 18:07

Recently, I started getting warnings from Fossamail about invalid mail server certificates. I kept having to confirm security exceptions.
I found the solution at the AVAST site on the following page:
Avast Antivirus: Troubleshooting warnings about invalid mail server certificates when sending and receiving e-mails


Re: warnings about invalid mail server certificates

Post by half-moon » 2016-12-07, 19:26

In my opinion you should actually just disable the mail shield in avast, so you are not exposed to MiTM attacks due to Avast's SSL/TLS hijacking.


Re: warnings about invalid mail server certificates

Post by Robert2 » 2016-12-07, 20:20

Here is from https://blog.avast.com/2015/05/25/explaining-avasts-https-scanning-feature/:
The Avast WebShield must use a MITM approach in order to scan secure traffic, but the important difference is that the “middle man” we use is located in the same computer as the browser and uses the same connection. Since Avast is running with Administrator rights and elevated trust on the computer, it can create and store certificates that the browser correctly accepts and trusts for this, and only this, machine. For every original certificate, Avast makes a copy and signs it with Avast's root certificate, located in the Windows Certificate store. This special certificate is called “Avast Web/Mail certificate root” to clearly distinguish who created it and for what purpose.

We want to emphasize that no one else has the same unique key that you have from the installation generated certificate. This certificate never leaves the computer and is never transmitted over the internet. The Windows System Certificate Store is the only place where your computer's certificate is stored and accessed.

User avatar
Pale Moon guru
Pale Moon guru
Posts: 26141
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E

Re: warnings about invalid mail server certificates

Post by Moonchild » 2016-12-08, 10:46

I want to emphasize that ANY SSL/TLS interception is a bad idea, because it will break end-to-end encryption and makes it impossible for the client to verify its connection is authenticated. Enabling this actually opens you up to MitM attacks on the 'net.

People should really stop touting this as a "security feature" because it is anything but that.

See also: viewtopic.php?f=24&t=14122
"There will be times when the position you advocate, no matter how well framed and supported, will not be accepted by the public simply because you are who you are." -- Merrill Rose