nnimap over SSL

Gnus development mailing list
 help / color / mirror / Atom feed

* nnimap over SSL
@ 2001-01-22  9:07 Arcady Genkin
  2001-01-22 10:01 ` Simon Josefsson
  0 siblings, 1 reply; 2+ messages in thread
From: Arcady Genkin @ 2001-01-22  9:07 UTC (permalink / raw)


I have just configured SSL wrapper around uw-imap server (with
stunnel).

I added (nnimap-server-port 993) and (nnimap-stream ssl) to the
backend configuration.  In the messages below the line about
``Plaintext authentication'' is worrying me a bit.  Is the password
encrypted?

,----[ recent messages ]
| nnimap: Updating info for nnimap+soup:mail/private...
| imap: Plaintext authentication...
| imap: Connecting to soup...done
| Waiting for response from soup...done
| imap: Opening SSL connection with `openssl s_client -ssl3 -connect %s:%p'...done
| imap: Opening SSL connection with `openssl s_client -ssl3 -connect %s:%p'...
| imap: Connecting to soup...
`----

Also, this might be off-topic, but I wonder where openssl stores the
certificate it retrieves from the server (I'm using a self-signed
certificate).

Many thanks,
-- 
Arcady Genkin
Don't read everything you believe.



^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: nnimap over SSL
  2001-01-22  9:07 nnimap over SSL Arcady Genkin
@ 2001-01-22 10:01 ` Simon Josefsson
  0 siblings, 0 replies; 2+ messages in thread
From: Simon Josefsson @ 2001-01-22 10:01 UTC (permalink / raw)

Arcady Genkin <antipode@thpoon.com> writes:

> I added (nnimap-server-port 993) and (nnimap-stream ssl) to the
> backend configuration.  In the messages below the line about
> ``Plaintext authentication'' is worrying me a bit.  Is the password
> encrypted?

Yes and no -- you're sending a cleartext password to the server,
albeit over a encrypted channel (assuming SSL is in fact used).  Use
`lsof' or `netstat' or similar to find out what connection actually is
used.

If you don't trust the encrypted network and/or the unauthenticated
server enough to handle your cleartext password (rather than using
some kind of challenge/response protocol), you should be worried.  In
practice, your current solution is good for passive attacks (network
sniffing) but is still open to active attacks (redirect server
hostname or network hijacking).

> Also, this might be off-topic, but I wonder where openssl stores the
> certificate it retrieves from the server (I'm using a self-signed
> certificate).

I believe it's only printed to stdout (or maybe stderr).

Frob `imap-ssl-program' and add CA certs and verification stuff and
the server will be authenticated.  This means server hostname
redirection or network routing hijacking won't work, but an attack
against the mail server itself would still collect your password.

The next step would be to not send your password in clear, using
CRAM/DIGEST-MD5, Kerberos, STARTTLS with client-certs, Ssh+imapd or
whatever.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2001-01-22 10:01 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2001-01-22  9:07 nnimap over SSL Arcady Genkin
2001-01-22 10:01 ` Simon Josefsson

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).