Hacker News new | comments | show | ask | jobs | submit login

Thank you for clarifying this. Your notes make me feel much better about sending you my password, and I'm glad you thought about self-signed SSL certificates too.

I still would like a warning to show up before I allow connecting to the server if it presents a self-signed certificate. Even something like this could get the point across:

    +------------------------------------------+
    | ======= Inky security warning ===========|
    +------------------------------------------+
    | Nobody's verified the identity of the    |
    | people who operate this mail server. Are |
    | you sure you want to send your password  |
    | to this unknown mail server?             |
    |                                          |
    | [Yes, send my password, and remember     |
    |   this mail server's fingerprint in the  |
    |   future]                                |
    |                                          |
    | [No, do not continue]                    |
    |                                          |
    | [More details...]                        |
    +------------------------------------------+



We'll certainly make it clearer. We've gone back and forth on this internally (design/simplicity vs security/clarity). I agree it should give you some kind of indication that it's not a CA-signed certificate. I'd also like to show EV certificates differently, though I'm not sure many providers offer them yet for mail servers.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: