This morning, I notice that my Android was showing a certificate error trying to check email on my Cox ISP account. Android wouldn’t display the certificate error or even the certificate of the service I’m connecting to. A manager at work had the same issue but on the iPhone which did allow you to view the certificate so I was able to eyeball the certificate and note that the dates were correct.
When I got home, I set up Thunderbird and immediately saw the problem. I was checking mail at spop.east.cox.net, and the certificate was for pop.east.cox.net. In the past, Cox for whatever reason had the POP over SSL users have a different address.
Cox has simplified its server addressing scheme to pop.cox.net and smtp.cox.net. While they say that pop.east.cox.net will continue to work, they apparently forgot about spop.east.cox.net.
It is never a good idea to “click through” certificate errors. This is particularly true when it is a new error on a frequently used connection. In this case it turned out to be a provider induced error rather than a man in the middle attack, but it is better to be safe than sorry.