Ask / Submit
48

Do not automatically accept all SSL certificates [released]

asked 2014-01-04 22:35:28 +0200

martti gravatar image

The Mail app is set to automatically accept all SSL certificates by default, which is a security risk. I'm awfully sorry to complain about something because it works ( :-) ), but I was unpleasantly surprised when I successfully managed to set up my email account (which uses a self-signed SSL certificate) without the Jolla complaining about the certificate's validity.

In all seriousness, though, the device should not blindly trust certificates -- at least not without informing the user. Instead, it should give the user the option to (manually) inspect it and then accept (e.g., by adding an exception, either globally or just for the Mail app) or reject. Alternatively, you could have an option like 'SSL (accept all certificates)' like the default mail app in Android, and make sure that the option 'SSL' rejects all certificates that haven't been signed by a trusted authority.

edit retag flag offensive reopen delete

The question has been closed for the following reason "released in a software update" by VDVsx
close date 2014-06-10 14:11:41.786883

Comments

though i cannot find it(search is lousy), i'm pretty sure this has been requested before...

AL13N ( 2014-01-05 00:07:42 +0200 )edit
1

I've seen it mentioned in a comment to a related question here, but couldn't find a thread discussing the issue specifically.

martti ( 2014-01-05 00:20:34 +0200 )edit
3

One way to do would be to ask the user to accept self-signed certificate and warn when the certificate changes (kind of like SSH). This same model could apply to WWW browser, email and the certificates used in WiFI WPA Enterprise authentication. Also certificate manager (UI) is needed.

Karri Huhtanen ( 2014-01-06 17:58:50 +0200 )edit

Wrote a possible way to handle self-signed certificates in any Jolla app here: https://together.jolla.com/question/11215/accepting-self-signed-certificates/ It is based on my previous comment in this thread.

Karri Huhtanen ( 2014-01-09 11:36:15 +0200 )edit

1 Answer

Sort by » oldest newest most voted
0

answered 2014-06-09 20:25:49 +0200

VDVsx gravatar image

Implemented in 1.0.7.16, Saapunki.

edit flag offensive delete publish link more

Comments

2

No it is not implemented in Saapunki. In Saapunki Jolla has implemented insecure option for accepting all untrusted certificates. The question clearly specifies, that the implementation should have the option for user to accept single server certificate and not open all his email settings for potential man-in-the-middle attackers by accepting all unknown certificates. Jolla and SailfishOS now has two places (Mail and Exchange apps), where certificates are handled insecurely. Please open this again until better implementation is available.

Karri Huhtanen ( 2014-06-10 13:40:44 +0200 )edit

For that there's: https://together.jolla.com/question/1607/gui-to-addtrust-ssl-root-certsself-signed-certs/

That's not only for email app.

VDVsx ( 2014-06-10 14:11:24 +0200 )edit

Question tools

Follow
9 followers

Stats

Asked: 2014-01-04 22:35:28 +0200

Seen: 3,645 times

Last updated: Jun 09 '14