mirror of https://git.code.sf.net/p/isync/isync
Browse Source
such connections don't support STARTTLS. that is reasonable, as whatever makes the connection preauthenticated (typically a Tunnel used to launch imapd via a shell login) must already rely on the connection's security. consequently, we would not try to use STARTTLS with such connections. unfortunately, we'd also skip the RequireSSL check as a side effect. this means that a rogue server (via a MITM attack) could simply offer a preauthenticated connection to make us not use SSL, and thus bypass server authentication. as a result, we could send potentially sensitive data to the attacker: - with Patterns used, we would send a LIST command which reveals the remote Path setting. this isn't very useful to an attacker. also, IMAP Accounts usually rely on the server-provided NAMESPACE to start with. - with Create enabled for the remote Store, we would upload messages from newly appeared local folders. this isn't a very likely situation, unless the attacker manages to convince the victim to move/copy interesting mails to a new folder right before the attack. - with Expunge enabled for the local Store, previously synchronized folders would be wiped. however, this would require the attacker to know the correct UIDVALIDITY of each remote folder, which would require incredible luck or convincing the victim to disclose them. the first mismatch would likely tip off the victim. in practice, someone with the level of technical and social engineering skills required for this attack would very likely find more attractive attack vectors. therefore, i don't consider this a particularly serious issue. configurations with UseIMAPS enabled or using a secure Tunnel were not affected to start with. a side effect of this fix is that most users of Tunnel will now need to explicitly set RequireSSL to false. an alternative approach would be defaulting all SSL-related settings to off when Tunnel is used. this would be too invasive for a patch release, but i'll consider it for 1.2. see also CVE-2014-2567 for the Trojita MUA.1.1
Oswald Buddenhagen
11 years ago
2 changed files with 17 additions and 3 deletions
Loading…
Reference in new issue