On 16-10-2013 01:48, Sam Varshavchik wrote:
> Fernando Gozalo writes:
>
>> Hi,
>>
>> Searching in Google I have found this url
>> https://bugs.launchpad.net/ubuntu/+source/courier/+bug/1194892
>>
>> ¿Is there something to worry about?
>
> No. Just another case of automatically putting one's brain in park,
> and blindly reading meaningless spewage from an automated
> "vulnerability" tester.
>
Reading through the manual test run in that bug report, the key claim in
the bug
report seems to be:
If someone sends a valid IMAP/POP command between STARTTLS and the
actual TLS
handshake, the valid response will be sent as the first thing inside
the TLS
session.
I think this is only a real problem if one of the following is a real
problem:
A: Because the stuff before the TLS handshake can be spoofed by a MITM,
there
may or may not be an opportunity to thus inject known plaintext into the
start of the TLS session, which may or may not make it easier to
exploit any
chosen plaintext vulnerabilities in TLS to break the encryption and
listen in
on the real users encrypted mail downloads. This does require an
additional
TLS vulnerability though.
B: Because the stuff before the TLS handshake can be spoofed by a MITM, this
may be an opportunity to make a broken client handle the unexpected
replies
to IMAP/POP commands it did not send itself. Any well-written client
will
already be dealing with that risk for unencrypted connections, but well
written e-mail programs are getting rarer these days.
I am not sure what the IMAP and POP3 standards have to say about this
behavior.
How should servers respond to commands received between STARTTLS and the
actual
TLS handshake. Should they ignore them, respond before the handshake,
respond
after the handshake or abort the connection as badly corrupted?
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
_______________________________________________
Courier-imap mailing list
Courier-imap@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap
