Image may be NSFW.
Clik here to view.
I have a mail server that has a self signed SSL certificate.
I use Thunderbird to access this server, and it asks me to accept this certificate.
So lets say I accept this in a semi secure location, for example on a local network.
Then move on to an insecure net with my certificate accepted in Thunderbird email client.
Thunderbird is set to use STARTTLS to the email server.
Is it so that once this certificate is accepted, it is impossible to do a man in the middle attack. For somebody to make use of this public self signed SSL certificate they also need a private key that the mail server keeps?
The red flag is if Thunderbird one day suddenly wants me to accept a new certificate from the mail server.
Image may be NSFW.
Clik here to view.
You should strongly consider getting a free SSL Cert if you control the domain. There are a couple provides of free certs.
The “accepted” cert in Thunderbird pairs the hostname by which you referenced the server with the thumbprint of the certificate. So a MITM attack would be nigh impossible without solving the DL Problem. This assumes you picked a reasonable bit length (2048 or 4096 these days; though arguments could be made for 1024).
PKI Keys are only ever useful if you have both the private and public key. Yes, new warnings about certificate errors should always be reviewed with the utmost discernment.
Check more discussion of this question.
