I am trying to decide on a new e-mail service. I use fetchmail to fetch my e-mail and process it using procmail. Some of the email services (etc. gmx.com, outlook.com, etc) do not seem to require the certificate and the fingerprint checked. Some others, such as inbox.com or gmail.com do. I am wondering if there is a security hole in going from the latter kind to the former. What is the value of the certificate checking? Sorry that i am not a cryptography guy but I would not like to have a security hole than needed.
Thanks!
Some of the email services ... do not seem to require the certificate and the fingerprint checked. Some others ... do. ... What is the value of the certificate checking?
The server certificate is checked to make sure that you are talking to the expected server and not some attacker doing a man in the middle attack. With a successful man in the middle attack it is possible to read and even modify the transferred data and neither client nor server will notice.
Checking the servers certificate (either as certificate or fingerprint) is done by the client and cannot be enforced by the server. Thus it is fully up to you if you do a proper check and verify that you are talking to the expected server or if you omit certificate validation and are thus open to man in the middle attacks.