Frequently Asked Question
SSL and Security Warnings when away from home
Last Updated 6 years ago
Sometimes, when you are out and about, especially when using guest corporate WifI you may start to see warnings from your email software saying the certificate isn't valid or there is a problem with the server. Why is this?
Most corporate environments check their ingoing and outgoing mail, if you are using our email systems you'll find that we do the same. In order for your email to be secure there is a chain of trust. Your client is presented with a 'certificate' by the server saying who it is so that your client can be sure that it is talking to the real server and not an impostor.
This Certificate much match to another on your computer called a CA. The CA or Certificate of Authority verifies that the certificate was genuine and was issued by a trusted organisation. Most systems use a CA that is publically available for example, we use many Verisign certificates, however some use a CA that is only available on the local network. Where this happens unless you install that CA, the certificate won't be verifiable.
But you are only talking to your mail server not another and your server always works so this is an error? No, many security systems intercept email. This isn't a new thing and has been going on for years. It's not normally (although it can be) a bad thing. By doing so your inbound email is kept clean and people on the network can't send things out they shouldnt. It's also often used to enforce corporate archival policies.
Now when dealing with insecure traffic, this all works transparently, however with SSL it can go a bit wrong.Your traffic should be intercepted, the intercepting party gives you a valid certificate to proove who it is, your have a matching CA, then that machine talks to your email server. The problem here is twofold.... Firstly, it's a bodge and secondly SSL is designed to stop just this sort of thing, known as man in the middle. A good email client will see that the certificate doesnt match, it'll throw an error and refuse to connect. This is what *should* happen. If it doesn't the next thing may be a complaint about the certificate not having a matching CA, many vendors supply a CA for the local network to solve this, if it isn''t your network, it's not something you have, and your client refuses to connect again. There are ways round this, the server can listen for the connection, talk to your server, grab its name and pretend to be your server, this adds a hop and again, SSL is designed to stop this, so it'll work some of the time, but not all of the time.
On top of all of this we are VERY careful about how we set our servers up which means the security settings are pretty high anyway with increases the chances of this failing.
It's also seen on some mobile networks so teathering may not solve the issues. No UK or Canadian providers do this at the moment that we are aware of but elsewhere...
And one final thought, if you don't know the network you are using, are you *sure* this isnt an attack and attempt to steal data? If your client normally works just fine then it's probobly a good sign to stop trying. If you persis, at best your private emails may end up in a corporate archive, at worst, they end up in the wild.
If you have it enabled, you can try using Webmail, but again, you may see similar SSL errors if your traffic is being intercepted.
R
Most corporate environments check their ingoing and outgoing mail, if you are using our email systems you'll find that we do the same. In order for your email to be secure there is a chain of trust. Your client is presented with a 'certificate' by the server saying who it is so that your client can be sure that it is talking to the real server and not an impostor.
This Certificate much match to another on your computer called a CA. The CA or Certificate of Authority verifies that the certificate was genuine and was issued by a trusted organisation. Most systems use a CA that is publically available for example, we use many Verisign certificates, however some use a CA that is only available on the local network. Where this happens unless you install that CA, the certificate won't be verifiable.
But you are only talking to your mail server not another and your server always works so this is an error? No, many security systems intercept email. This isn't a new thing and has been going on for years. It's not normally (although it can be) a bad thing. By doing so your inbound email is kept clean and people on the network can't send things out they shouldnt. It's also often used to enforce corporate archival policies.
Now when dealing with insecure traffic, this all works transparently, however with SSL it can go a bit wrong.Your traffic should be intercepted, the intercepting party gives you a valid certificate to proove who it is, your have a matching CA, then that machine talks to your email server. The problem here is twofold.... Firstly, it's a bodge and secondly SSL is designed to stop just this sort of thing, known as man in the middle. A good email client will see that the certificate doesnt match, it'll throw an error and refuse to connect. This is what *should* happen. If it doesn't the next thing may be a complaint about the certificate not having a matching CA, many vendors supply a CA for the local network to solve this, if it isn''t your network, it's not something you have, and your client refuses to connect again. There are ways round this, the server can listen for the connection, talk to your server, grab its name and pretend to be your server, this adds a hop and again, SSL is designed to stop this, so it'll work some of the time, but not all of the time.
On top of all of this we are VERY careful about how we set our servers up which means the security settings are pretty high anyway with increases the chances of this failing.
It's also seen on some mobile networks so teathering may not solve the issues. No UK or Canadian providers do this at the moment that we are aware of but elsewhere...
And one final thought, if you don't know the network you are using, are you *sure* this isnt an attack and attempt to steal data? If your client normally works just fine then it's probobly a good sign to stop trying. If you persis, at best your private emails may end up in a corporate archive, at worst, they end up in the wild.
If you have it enabled, you can try using Webmail, but again, you may see similar SSL errors if your traffic is being intercepted.
R