I'm in full support of your ideas.

When connecting to gmail with MicroB I get the yellow ssl notification bar 'gmail.com verified by (null)'

(null) doesn't sound very secure.
Would be great to update the certificates..

As far as I am concerned, 'gmail.com' doesn't sound very secure

Not my preferred provider either, only for a few things.
My private mail is on a proper privacy friendly provider

Also still compatible with the built in email client.
G-m does not work due to supposedly outdated client, hence MicroB.

Disregarding privacy, the G-m seem to have their security protocols quite top notch.

In any case, replacing certificates where needed and other security updates would be more than helpful if we are able to achieve 2015/16 security standards.

This would mean updating the whole system, no?
Critical glibc bugs:
https://rhn.redhat.com/errata/RHSA-2015-0090.html
https://rhn.redhat.com/errata/RHSA-2015-0092.html
...
Last time ppl tried using latest libc/glibc builds from debian random apps would break (calendar etc)

If you're referring to the so-called GHOST glibc bug (https://www.redhat.com/security/data...2015-0235.html), it has been patched in cssu-testing:
http://wiki.maemo.org/Community_SSU/Changelog#Tmaemo11

I guess this one should go in next cssu-stable if nobody reported any issue (?).
But others security issues might still be hiding in our not-so-young glibc, and it looks like we're still forced to backport patches instead of upgrading.

Yeah, forgive maritime metaphor, but it's like patching the sails when the boat is leaking

as said in Deus Ex Human Revolution:

"You don't fix an entire firewall, you find the loophole and plug it."

Many loopholes..luckily we are on dry land?

Slightly OT, but Gmail definitely works on N900 for many of us. Check your configs. Hoping you're on CSSU as well.

Yes, I'm on CSSU. Correct, I checked my security settings at gmail, having 'access restricted from apps with weaker security', it won't work in the N900s mail client.

I prefer not to potentially compromise security in favour of ease of use. The N900 is a mighty beast, however can it stay safe by updating security protocols and removing outdated ones?

To improve security on the N900 for web browsing, we need to do 2 things. First we need to make sure the root certificate store is up-to-date (CSSU has it in maemo-security-certman repo so we need to update it there if there is anything that needs doing to that repo) and secondly we need to upgrade/fix/improve nss inside microb-engine (and make the relavent changes to microb-engine as well). Its definatly possible in that all the relavent bits are 100% FOSS, it just needs someone that understands Gecko, NSS and microb-engine who can do the work