[Ach] Fwd: [Uta] Fwd: [oss-security] Requesting a CVE id for Trojitá, an e-mail client: SSL stripping
Aaron Zauner
azet at azet.org
Wed Mar 19 23:49:41 CET 2014
-------- Original Message --------
Subject: [Uta] Fwd: [oss-security] Requesting a CVE id for Trojitá, an
e-mail client: SSL stripping
Date: Wed, 19 Mar 2014 18:11:12 -0400
From: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
To: uta at ietf.org <uta at ietf.org>
The message below was just sent to the oss-security list. It describes
a protocol problem with the interaction between IMAP's PREAUTH mechanism
and STARTTLS mechanism.
The catch is in the intersection of two definitions:
STARTTLS is defined as a command for IMAP's "Not Authenticated" state:
https://tools.ietf.org/html/rfc3501#section-6.2.1
But an IMAP server can also start its communications with a "PREAUTH"
response, which suggests that the client should be in the
"Authenticated" state to begin with:
https://tools.ietf.org/html/rfc3501#section-7.1.4
So if a client is configured to use STARTTLS, and it connects to an IMAP
server on port 143, and that server (which could be an MITM) answers
with "PREAUTH", the client might not even try to issue STARTTLS (indeed,
the spec might not even allow it).
further discussion here:
http://thread.gmane.org/gmane.mail.imap.general/3427
note that IMAP-inside-TLS isn't vulnerable to this confusing situation.
--dkg
-------------- next part --------------
An embedded message was scrubbed...
From: =?iso-8859-1?Q?Jan_Kundr=E1t?= <jkt at flaska.net>
Subject: [oss-security] Requesting a CVE id for Trojit?, an e-mail client: SSL stripping
Date: Wed, 19 Mar 2014 19:52:04 +0100
Size: 4894
URL: <http://lists.cert.at/pipermail/ach/attachments/20140319/5d21e23c/attachment.eml>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Attached Message Part
URL: <http://lists.cert.at/pipermail/ach/attachments/20140319/5d21e23c/attachment.ksh>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20140319/5d21e23c/attachment.sig>
More information about the Ach
mailing list