Re: Things have changed...
An update on this article can be found at
Re: pop3 ssl?
> > It is very important to set up
> fetchmail with some type of encryption.
> Otherwise, your Gmail password will be
> broadcast over the Internet
> Instead of using STARTTLS---getting
> certificates, extracting them,
> etc.---can't one just do the following
> in .fetchmailrc?
> poll pop.gmail.com proto pop3 ssl
> Is this insecure?
This sets up an encrypted connection to "some" server. There is no verification that this server is really pop.gmail.com. For example it is possible, and has happened in the past, that upsteam DNS(s) could be poisoned. Reference Sans DNS poisoning.
Remember, DNS maps the name to an IP address. If it's not the correct IP address, you could potentially establish an encrypted connected to someone who is not really pop.gmail.com, and give them your password.
Using fetchmail with the sslcertck option validates the certificate first, making sure you really are talking to gmail, before sending your password.