In your example the certificate you're being given when connecting through SMTP is for smtp.gmail.com.
It is this certificate that proves your connection is to smtp.gmail.com and not somebody else. That's the whole freaking point of HTTPS. What Google does from there, it's their business, but NO, they are not the man in the middle, as you explicitly and willfully connected to them and allowed them to send email on your behalf.
On the other hand, connecting to HTTPS with one of these Nokia phones leaves you with the impression that HTTPS connections to google.com are secure, when in fact the Nokia device is LYING TO YOU.
The example you've given couldn't have been any worst.
Nokia is not faking certs. The "browser" only talks to .browser.ovi.com and the SSL certs are issued to .browser.ovi.com. SSL is working exactly as they should. The "security researcher" didn't understand the results he was seeing and freaked out. The Nokia phone only does a DNS lookup of .browser.ovi.com, it only connects to .browser.ovi.com, and it only gets an SSL cert from .browser.ovi.com.
It is this certificate that proves your connection is to smtp.gmail.com and not somebody else. That's the whole freaking point of HTTPS. What Google does from there, it's their business, but NO, they are not the man in the middle, as you explicitly and willfully connected to them and allowed them to send email on your behalf.
On the other hand, connecting to HTTPS with one of these Nokia phones leaves you with the impression that HTTPS connections to google.com are secure, when in fact the Nokia device is LYING TO YOU.
The example you've given couldn't have been any worst.