Raising The Shields – Part 12: Why Do eMail Clients Not Have An Option To Show Certificate Changes?

There we go, as recently reported, my eMail hosters now use Perfect Forward Secrecy (PFS) key negotiation to thwart mass surveillance. There is one more thing I'd like to have though, not from them, but from Mozilla and others working on eMail client programs such as Thunderbird: Warnings when SSL certificates change.

While it's great to have PFS in place there is still the loophole that anyone being able to create a certificate for my eMail hoster's domain on the fly can spy on my email traffic. The only thing that can warn the user of this is if the email client presented a warning when the hoster's certificate changes. I know that's probably nothing for the masses but a little switch in the configuration for those who'd like to have it would be very nice.

On the web browser side I use the 'Certificate Patrol' plugin for the purpose and it's quite interesting to see when and how often certificates change. I'd really like to have something similar for Thunderbird as well!

P.S.: And in case you are wondering about previous 'Raising the Shields' posts, click on the privacy tag below or use this Google search.