Jump to content


Comcast Email Security Cert Problems


  • Please log in to reply
4 replies to this topic

#1 OFFLINE   ebrke

ebrke

    Board Bigwig

  • Forum MVP
  • 2,647 posts

Posted 23 November 2016 - 06:00 PM

For someone more knowledgeable than I am about security certificates:  My mother's laptop running win7/Thunderbird for email is getting a message about Comcast email server's security certificate being missing/expired. From what I've seen online, this is not an unusual occurrence for Comcast (why am I not surprised). Thing is, my laptop running openSuSE with Thunderbird connects and retrieves email without any security cert messages. Both machines are behind the same router, and I checked to be sure my Thunderbird was using SSL/TLS, which it is.

Anyone have any ideas about why only one of these systems is getting the security cert message? I'm just curious--I know there's not a prayer of getting Comcast to address this issue.
Registered Linux User 344759

#2 OFFLINE   V.T. Eric Layton

V.T. Eric Layton

    Nocturnal Slacker

  • Forum Admins
  • 20,921 posts

Posted 23 November 2016 - 08:42 PM

On your machine, make sure Thunderbird is set to check for certificate validation:

Settings/Preferences/Advanced/Certificates tab --> choose "ask me every time" and check box for "query OSCP response servers..."

And yes, lazy admins are usually the cause of improper/expired certifications. However, you can MAKE SURE by doing a "whois" in the terminal on the address that T-bird is using for Comcast email retrieval --> usually pop.bla-bla.com, etc <-- find it in your account settings on T-bird for your Comcast account. The "whois" will give you all the valid domain information about the domain (the bla-bla.com part) you're checking.

Example: from my Gmail account in T-bird (pop.googlemail.com)

vtel57@ericsbane06~:$ whois googlemail.com
Whois Server Version 2.0
Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.
Domain Name: GOOGLEMAIL.COM
Registrar: MARKMONITOR INC.
Sponsoring Registrar IANA ID: 292
Whois Server: whois.markmonitor.com
Referral URL: http://www.markmonitor.com
Name Server: NS1.GOOGLE.COM
Name Server: NS2.GOOGLE.COM
Name Server: NS3.GOOGLE.COM
Name Server: NS4.GOOGLE.COM
Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
Status: serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited
Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
Status: serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited
Updated Date: 16-jun-2016
Creation Date: 18-jul-2001
Expiration Date: 18-jul-2017
>>> Last update of whois database: Thu, 24 Nov 2016 00:39:27 GMT <<<
For more information on Whois status codes, please visit https://icann.org/epp
NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.
TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability. VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.
The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Domain Name: googlemail.com
Registry Domain ID: 75120457_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2016-06-16T02:23:16-0700
Creation Date: 2001-07-18T00:00:00-0700
Registrar Registration Expiration Date: 2017-07-18T00:00:00-0700
Registrar: MarkMonitor, Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
Registrar Abuse Contact Phone: +1.2083895740
Domain Status: clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited)
Domain Status: clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited)
Domain Status: clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)
Domain Status: serverUpdateProhibited (https://www.icann.org/epp#serverUpdateProhibited)
Domain Status: serverTransferProhibited (https://www.icann.org/epp#serverTransferProhibited)
Domain Status: serverDeleteProhibited (https://www.icann.org/epp#serverDeleteProhibited)
Registry Registrant ID:
Registrant Name: DNS Admin
Registrant Organization: Google Inc.
Registrant Street: 1600 Amphitheatre Parkway
Registrant City: Mountain View
Registrant State/Province: CA
Registrant Postal Code: 94043
Registrant Country: US
Registrant Phone: +1.6502530000
Registrant Phone Ext:
Registrant Fax: +1.6506188571
Registrant Fax Ext:
Registrant Email: dns-admin@google.com
Registry Admin ID:
Admin Name: DNS Admin
Admin Organization: Google Inc.
Admin Street: 1600 Amphitheatre Parkway
Admin City: Mountain View
Admin State/Province: CA
Admin Postal Code: 94043
Admin Country: US
Admin Phone: +1.6502530000
Admin Phone Ext:
Admin Fax: +1.6506188571
Admin Fax Ext:
Admin Email: dns-admin@google.com
Registry Tech ID:
Tech Name: DNS Admin
Tech Organization: Google Inc.
Tech Street: 1600 Amphitheatre Parkway
Tech City: Mountain View
Tech State/Province: CA
Tech Postal Code: 94043
Tech Country: US
Tech Phone: +1.6502530000
Tech Phone Ext:
Tech Fax: +1.6506188571
Tech Fax Ext:
Tech Email: dns-admin@google.com
Name Server: ns3.google.com
Name Server: ns1.google.com
Name Server: ns4.google.com
Name Server: ns2.google.com
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2016-11-23T16:32:41-0800 <<<
The Data in MarkMonitor.com's WHOIS database is provided by MarkMonitor.com for
information purposes, and to assist persons in obtaining information about or
related to a domain name registration record. MarkMonitor.com does not guarantee
its accuracy. By submitting a WHOIS query, you agree that you will use this Data
only for lawful purposes and that, under no circumstances will you use this Data to:
(1) allow, enable, or otherwise support the transmission of mass unsolicited,
	 commercial advertising or solicitations via e-mail (spam); or
(2) enable high volume, automated, electronic processes that apply to
	 MarkMonitor.com (or its systems).
MarkMonitor.com reserves the right to modify these terms at any time.
By submitting this query, you agree to abide by this policy.
MarkMonitor is the Global Leader in Online Brand Protection.
MarkMonitor Domain Management(TM)
MarkMonitor Brand Protection(TM)
MarkMonitor AntiPiracy(TM)
MarkMonitor AntiFraud(TM)
Professional and Managed Services
Visit MarkMonitor at http://www.markmonitor.com
Contact us at +1.8007459229
In Europe, at +44.02032062220
For more information on Whois status codes, please visit
https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en
--


#3 OFFLINE   ebrke

ebrke

    Board Bigwig

  • Forum MVP
  • 2,647 posts

Posted 24 November 2016 - 02:26 PM

Quote

On your machine, make sure Thunderbird is set to check for certificate validation:

Settings/Preferences/Advanced/Certificates tab --> choose "ask me every time" and check box for "query OSCP response servers..."
Those are the settings on my linux laptop.

Comcast accounts use servers mail.comcast.net and smtp.comcast.net, and of course whois comcast.net gives expected info. I just don't understand why one system gives cert warnings and the other does not, but then again there are a lot of things in this world I don't understand. I'm just super paranoid about anything on her win7 machine with the mess now passing for "security updates" under MS new system, but I guess I'm just going to have to take a deep breath and forget it.
Registered Linux User 344759

#4 OFFLINE   zlim

zlim

    It's me, plodr

  • Forum MVP
  • 6,970 posts

Posted 24 November 2016 - 06:12 PM

Make images and as long as your mother doesn't store the only copy of a file on her computer, if something goes awry, restore the image and she'll be good to go.

I restored a Nov. 7th image to my husband's laptop on Nov. 20th. He didn't notice anything different. Of course I had to update flash, SpywareBlaster, MBAM, FF ESR and MSE before I would let him use it again.
Liz
Registered Linux User # 401459
Posted Image

#5 OFFLINE   crp

crp

    Board Bigwig

  • Members
  • PipPipPipPipPipPipPipPipPipPipPip
  • 2,989 posts

Posted 27 November 2016 - 07:11 PM

for some reason I couldn't quote the post i wanted to , but anyway, there may have been an issue with a "master certificate list" . one of the machines might not have the latest and greatest concerning Comcast.
Of all tyrannies, a tyranny sincerely exercised for the good of its victims may be the most oppressive. It would be better to live under robber barons than under omnipotent moral busybodies. The robber baron's cruelty may sometimes sleep, his cupidity may at some point be satiated; but those who torment us for our own good will torment us without end for they do so with the approval of their own conscience. ~C. S. Lewis




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users