Short answer: not in any practical way.
Medium answer: yes, but someone would have to surreptitiously obtain physical control of your phone long enough to install a new root CA. (See Sean's answer)
Longer answer: of course it's theoretically possible, but the attacker would have to compromise a CA that you already trust. Sadly, this isn't as outlandish a prospect as it should be, but it's still extremely unlikely. I don't know how often Samsung or Google removes known-compromised CAs from the trust list, if ever, so I can't say how large the potential exposure is. On the other hand, the only way you'd be caught by something like that would be as part of a very large, very sophisticated operation that was doing it to *everyone*.
You can issue your own certificate, signed against your own CA, and "just" ensure your own CA is imported into every client you use... I wouldn't bother, but it's an option.
-Adam
On Jan 18, 2014 3:37 AM, Trevor Cordes trevor@tecnopolis.ca wrote:
I'm just wondering if it is possible for someone to MitM me in the
following scenario and intercept plaintext traffic:
dovecot imaps server with real thawte "quick" cert
|
imaps (ssl)
|
public wifi
|
android phone using imaps using "ssl" not "ssl (any cert)" option
For instance, can a malicious hotspot use some sort of interception
technique / spoofing and some sort of wildcard cert to trick my phone into
negotiating SSL with it, which then does its own SSL to my dovecot server,
thus MitM'ing me without me even knowing? I know in a web browser I'd
normally be protected against that by looking at the URL in the address
bar, or the green EV-cert graphics (or am I wrong in even that
assumption)?
How paranoid do I have to be? And is there any way to beat any
shortcoming on Android, perhaps with a client cert or a way to tie the
account to a single manually-specified server SSL cert?
_______________________________________________
Roundtable mailing list
Roundtable@muug.mb.ca
http://www.muug.mb.ca/mailman/listinfo/roundtable