Recently, I started getting warnings from Fossamail about invalid mail server certificates. I kept having to confirm security exceptions.
I found the solution at the AVAST site on the following page:
Avast Antivirus: Troubleshooting warnings about invalid mail server certificates when sending and receiving e-mails
HTH.
Robert
warnings about invalid mail server certificates
Re: warnings about invalid mail server certificates
In my opinion you should actually just disable the mail shield in avast, so you are not exposed to MiTM attacks due to Avast's SSL/TLS hijacking.
Re: warnings about invalid mail server certificates
Here is from https://blog.avast.com/2015/05/25/explaining-avasts-https-scanning-feature/:
The Avast WebShield must use a MITM approach in order to scan secure traffic, but the important difference is that the “middle man” we use is located in the same computer as the browser and uses the same connection. Since Avast is running with Administrator rights and elevated trust on the computer, it can create and store certificates that the browser correctly accepts and trusts for this, and only this, machine. For every original certificate, Avast makes a copy and signs it with Avast's root certificate, located in the Windows Certificate store. This special certificate is called “Avast Web/Mail certificate root” to clearly distinguish who created it and for what purpose.
We want to emphasize that no one else has the same unique key that you have from the installation generated certificate. This certificate never leaves the computer and is never transmitted over the internet. The Windows System Certificate Store is the only place where your computer's certificate is stored and accessed.
-
- Pale Moon guru
- Posts: 35649
- Joined: 2011-08-28, 17:27
- Location: Motala, SE
Re: warnings about invalid mail server certificates
I want to emphasize that ANY SSL/TLS interception is a bad idea, because it will break end-to-end encryption and makes it impossible for the client to verify its connection is authenticated. Enabling this actually opens you up to MitM attacks on the 'net.
People should really stop touting this as a "security feature" because it is anything but that.
See also: viewtopic.php?f=24&t=14122
People should really stop touting this as a "security feature" because it is anything but that.
See also: viewtopic.php?f=24&t=14122
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite