Re: nnimap over SSL - Simon Josefsson

Gnus development mailing list
 help / color / mirror / Atom feed

From: Simon Josefsson <simon@josefsson.org>
Subject: Re: nnimap over SSL
Date: 22 Jan 2001 11:01:10 +0100	[thread overview]
Message-ID: <iluhf2rkis9.fsf@josefsson.org> (raw)
In-Reply-To: <87d7dg2bvl.fsf@tea.thpoon.com> (Arcady Genkin's message of "22 Jan 2001 04:07:42 -0500")

Arcady Genkin <antipode@thpoon.com> writes:

> I added (nnimap-server-port 993) and (nnimap-stream ssl) to the
> backend configuration.  In the messages below the line about
> ``Plaintext authentication'' is worrying me a bit.  Is the password
> encrypted?

Yes and no -- you're sending a cleartext password to the server,
albeit over a encrypted channel (assuming SSL is in fact used).  Use
`lsof' or `netstat' or similar to find out what connection actually is
used.

If you don't trust the encrypted network and/or the unauthenticated
server enough to handle your cleartext password (rather than using
some kind of challenge/response protocol), you should be worried.  In
practice, your current solution is good for passive attacks (network
sniffing) but is still open to active attacks (redirect server
hostname or network hijacking).

> Also, this might be off-topic, but I wonder where openssl stores the
> certificate it retrieves from the server (I'm using a self-signed
> certificate).

I believe it's only printed to stdout (or maybe stderr).

Frob `imap-ssl-program' and add CA certs and verification stuff and
the server will be authenticated.  This means server hostname
redirection or network routing hijacking won't work, but an attack
against the mail server itself would still collect your password.

The next step would be to not send your password in clear, using
CRAM/DIGEST-MD5, Kerberos, STARTTLS with client-certs, Ssh+imapd or
whatever.

     prev parent reply	other threads:[~2001-01-22 10:01 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2001-01-22  9:07 Arcady Genkin
2001-01-22 10:01 ` Simon Josefsson [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=iluhf2rkis9.fsf@josefsson.org \
    --to=simon@josefsson.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).