Security here we come

The IMAP client provided with the version of Symbian on my phone has an interesting way of verifying certificates used for encrypting IMAP connections.

As one would expect the client verifies the signatures on the certificate offered by the IMAP server and will prompt the user if it sees signatures that it can’t trace back to an authority it trusts. Unfortunately it is not possible to tell the device to remember the decision which means that when the device prompts it will prompt every time it connects to the server in question. The result of this is user irritation and a reduction in security since there is much less chance that a changed server certificate will be noticed.

You would expect that there would be a lot of users encountering this given that so many sites don’t use a signed certificate but it turns out that this is not the case. Someone must have realised how many systems would be affected and so a solution was provided – if the server is using an unsigned certificate then the phone will accept it without warning the user at all. Only servers with signatures from an unknown trust source like a private certificate authority will cause the user to be prompted to verify the server certificate. This avoids both user irritation and any chance that the user will actually verify the fingerprint of the server they are connecting to, exposing users to spoofing and redirection based attacks.

Clearly someone hasn’t thought through what they’re doing here – it all rather defeats the point of signing in the first place. On the bright side, this is the first Symbian phone I have seen where the native IMAP client encrypted connections at all so having this problem is progress.