This morning, I notice that my Android was showing a certificate error trying to check email on my Cox ISP account.   Android wouldn’t display the certificate error or even the certificate of the service I’m connecting to.   A manager at work had the same issue but on the iPhone which did allow you to view the certificate so I was able to eyeball the certificate and note that the dates were correct.

When I got home, I set up Thunderbird and immediately saw the problem.   I was checking mail at spop.east.cox.net, and the certificate was for pop.east.cox.net.   In the past, Cox for whatever reason had the POP over SSL users have a different address.

Cox has simplified its server addressing scheme to pop.cox.net and smtp.cox.net.    While they say that  pop.east.cox.net will continue to work, they apparently forgot about spop.east.cox.net.

It is never a good idea to “click through” certificate errors.   This is particularly true when it is a new error on a frequently used connection.   In this case it turned out to be a provider induced error rather than a man in the middle attack, but it is better to be safe than sorry.