Esumsoft Forums

A while back I was using airport WiFi and the Pop Peeper icon turned yellow. I opened up a web browser and saw why. The public WiFi was redirecting me to a terms and conditions page and would not let any traffic out until I agreed. When I opened the Thunderbird email client, it alerted me that the certificate for my mail host had changed and was invalid. POP Peeper did no such thing. Once I agreed to the T&C, PP started working (as well as all my other applications).

Because POP Peeper does not support certificates, it would have been possible for me to have been hit with a man in the middle attack and my password could have been stolen.

I would like to see PP implement the same sort of SSL certificate support seen in other clients. It should try to verify the validity of the certificate for SSL/TLS connections. If there is a problem, it should let the user know and give the option to view the certificate and abort, proceed or proceed and add the certificate to an exception store. (The desired behavior can be seen in both Mozilla Thunderbird and Mozilla Firefox).

I know some think the whole SSL certificate thing is just about making money, but there is a purpose to having the email client check the certificate. I actually use self-signed certificates for some of my email accounts. But, those certificates don't change that often. If I were to sit down at a coffee shop and get hit with a warning about the certificate being invalid, it would alert my suspicions.

Has any consideration been given to this? It would be awesome to see this security hole closed up.

It's still on the list, but I'm afraid no progress has been made.

OAuth2 should definitely mitigate that omission but, of course, not all accounts are GMail/Yahoo/Hotmail.

Thanks for the update. That's a good tip about using OAuth. I do hope this gets attention soon. Security may not be sexy, but it has an important purpose.

Any chance this might make it into a release this year? It sucks that I can't safely use POP Peeper when I am traveling.

It's possible; which is to say, more possible than the last time I answered...

Sometime after my last response, I had started working on it, but I got stuck and put it off to look at another day. Well, when I saw your subject in my RSS feed I and got back to work on it today. And I made considerable progress on it.

How much progress? Well, I've been testing with two servers (imap.gmail.com and mail.esumsoft.com) and I get the results I expect when I perform a verification; which is that gmail verifies and esumsoft returns as "self-signed". I downloaded the google cert manually, so I expect that part of the process to be another endeavor itself.

I've emailed you with information regarding this and a reply via email is requested -- email me (support at esumsoft dot com) if you didn't get it.