The safety of GMail's POP server TLS certificate verification (or lack of it)

June 12, 2020

A while back I wrote an entry on how GMail hadn't been doing full TLS server certificate verification when fetching mail from remote POP servers. GMail may have verified that the POP server's TLS certificate was properly signed by a CA, but it didn't check the server name, which is the second part of server verification. This is not safe in general (even if you verify the IP address), but Google (and GMail) aren't everyone and they sit in a very special position in several ways.

I don't know if GMail's lack of verification was truly safe, and certainly it skips part of the purpose of verifying the TLS server hostname, but Google skipping this check can be safer than it is for almost anyone else. The basic reason why is that Google is in a position to be very confident that it's not talking to an impostor, if it wants to go to the effort. First, Google can check what it sees for DNS lookups, network routing, and TLS certificates from multiple vantage points around the Internet. This means that any tampering and MITM attacks must be global, not local, which generally means very close to the final network connection to the target.

(Of course, doing this sort of global check can run into issues with services that give you localized DNS results, with anycast routing, and so on. Nothing is perfect here.)

Second, Google can keep a history of all of this. If everything is consistent over time (and your previous connections worked and gave sensible results), you can be relatively confident that you're still connecting to the same thing. If you accepted the thing before, you can keep accepting it now. We weren't presenting the same TLS server key every time (as far as I know, Certbot generates a new keypair every time it renews your TLS certificate, which is about every 60 days), but we were presenting a valid TLS certificate for the same set of TLS names (that were valid DNS names for our IMAP and POP server).

None of this could make GMail's lack of full checking completely safe. But it at least could make it a lot safer than an isolated program or service trying to do the same thing. Google's in a position to have a lot of information that let it 'authenticate' (in some sense) your server, which is part of the reasons for verifying the server name.

(At the same time, I expect that GMail's behavior was ultimately for pragmatic reasons. It seems likely that they found that too many people had POP servers with TLS certificates that didn't include the right name. I can't throw stones about this, since we accidentally did this, as covered in my first entry.)

Written on 12 June 2020.
« Dual displays contrasting with virtual screens (aka multiple desktops)
An interesting combination of flaws in some /etc/mailcap handling »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Fri Jun 12 23:14:03 2020
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.