Security certificate

Today when trying to retrieve Gmail messages I have started getting a “imap.gmail.com:993 uses an invalid security certificate” error message. The message goes on to say the certificate expired this morning at 5:43am. Any solutions? Why has this suddenly happened when I have made no changes?

I’m having the same problem. I’ve made no changes to my settings but I’m getting the message described in the original post.

What’s the trick to getting a new certificate?

I have something similar.

Thunderbirs suddenly says

"You are about to override how Thunderbord identifies this site
legitimate banks, stores and other public will not ask you to do this

Server
Location: imap.gmail.com:993 [Get Certificate]

Certificate Status
permenently store this exception
[Confirm Security Exception] [Cancel]

This goes away when I turn off the Avast Mail Scanner and restart Thunderbird,
which makes me think this is an avast issue.

Do you have the option to view the certificate details? Check the dates teh certificate is valid and check that your system time is correct.

Sadly, ‘get Certificate’ does exactly nothing, and there is no option to show anything else.

There are more complaints about this pointing at avast:

http://forums.mozillazine.org/viewtopic.php?f=39&t=2695379

I can view certificate details. The certificate in question expired on 06/07/13. The date/time on my system is correct.

I am having the exact same issue as well. Has anyone found a solution yet?

The funny thing is of course that this only happens when avast’s MailShield is active, Once I turn it off, no complaints from Thunderbird

I have a similar problem, I can’t use Google secure search. If I remove the “s” from HTTPS, Google works fine. Google search also works fine from my PC. Here, on my MacBook, Chrome says Google uses Avast! CA. My PC says it uses Google’s certificate though. Under Keychain it says Avast! CA doesn’t expire until 2023.

On my other mac, I can see more of the certificate, and it claims to be for imap.googlemail.com, but issued by Avast???
and yes, it expired.

Can someone explain why this cert would be issued by avast, and why it is not renewed?

I just raised a ticket on the avast! ticketing system on this:

#RTM-698-79670

imap.gmail certificate (avast! issued???) expired.
Details This issue has been discussed for over a week on the Avast! mac Forum, but there has been no action/resolution:
http://forum.avast.com/index.php?topic=126642.0

For over a week now, when accessing my IMAP mail accounts at gmail (imap.gmail.com and imap.googlemail.com),
with avast! MailShield enabled, I get a nasty warning.

see attached

The security certificate that is shown apparently is issued by Avast! and has expired on 8/6/13 (I take that to be the 8h of June)

When I disable MailShield, I get no certificate issues, and in fact TB shows no certificate at all.

It seems that MailShield (since V7.0??) inserts itself ‘seamlessly’ into the IMAP connection stream, and presents its own certificate to the mail client, but that has expired and does not get renewed).

That this issue has persisted for over a week, with no solution from Avast, and in fact that Avast seems to insert a bogus(?) certificate for sites greatly shakes my confidence in Avast’s security. How can I trust that there is no
man-in-the middle attack here?

Am I the only one with Google search problems then?

I have the same problem with imap.google.com, and I have to accept “the risks” each time I’m starting my Mac (Mail is set to start automatically at startup). The certificate expired on the 7th of June 2013 at 22:43:27 (Eastern European Time). Please fix this ASAP, it’s really annoying :frowning:

Every secure site I go to shows Avast! as the CA. My local bank, Wikipedia, Yahoo!, the EFF, and Ebay all showed the same thing and I could access them all, but not Google. So why is Avast! inserting itself as a blanket CA on my Mac but not my PC?

Avast customer service just replied to my ticket:

Hello,

Thank you for contacting AVAST Software company with your concerns.

First of all, uninstall the current version.
Uninstallation must be carried out from the application’s menu bar - item “Uninstall avast!”
Uninstalling avast! Antivirus for Mac:
http://www.avast.com/en-gb/faq.php?article=AVKB67#artTitle

Then install avast! version 7.0.38501 onto your computer, please follow these steps:
http://www.avast.com/en-gb/faq.php?article=AVKB69#artTitle

It seems to have helped. have not checked the certificates as yet though.

Makes you wonder whether Avast’s certs are only generated during an install
and need a full removal/reinstall to be regenerated (as the version they told me to install is the one i already had)

Still no good answer on why they inject this bogus(?) cert into the IMAPS stream (and why it only seems to have problems for Gmail/googlemail)

The answer is simple, that’s how the AV is able to scan encrypted connections (IMAPS), Avast acts as the mail client (a proxy) making the connection to the email server, decrypts, scans, encrypts with its cert that it installed on the computer and hands it to the mail client, it’s a sort of a hack, if you may, but it’s the best way they came up to be able to scan encrypted connections for viruses (the previous way was MUCH worse, trust me).

The process of uninstalling and reinstalling generates a new cert that Avast installs in your computer (it’s unique).

I can confirm this has solved my problem as well. Thank you! :slight_smile:

An uninstall/reinstall resolved the problem for me as well.

Before the uninstall/reinstall, Thunderbird complained about an Avast-signed pop.gmail.com certificate that expired 6/7/2013. After the uninstall/reinstall, there isn’t any pop.gmail.com certificate. I’ve seen a couple of references to Google consolidating certificates. So I’m guessing that Google got rid of its pop.gmail.com certificate, replacing it with mail.google.com. Somehow Avast wasn’t able to handle this with respect to its “Avast-signed” version of pop.gmail.com. Does this sound correct?

Because avast! for Mac is capable of HTTPS scanning, wheres the PC version is not. The avast! CA
must be there to enable that, more technical info here: http://public.avast.com/~tuma/techinfo/