From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/34361 Path: main.gmane.org!not-for-mail From: Simon Josefsson Newsgroups: gmane.emacs.gnus.general Subject: Re: nnimap over SSL Date: 22 Jan 2001 11:01:10 +0100 Sender: owner-ding@hpc.uh.edu Message-ID: References: <87d7dg2bvl.fsf@tea.thpoon.com> NNTP-Posting-Host: coloc-standby.netfonds.no Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: main.gmane.org 1035170302 30036 80.91.224.250 (21 Oct 2002 03:18:22 GMT) X-Complaints-To: usenet@main.gmane.org NNTP-Posting-Date: Mon, 21 Oct 2002 03:18:22 +0000 (UTC) Return-Path: Original-Received: from karazm.math.uh.edu (karazm.math.uh.edu [129.7.128.1]) by mailhost.sclp.com (Postfix) with ESMTP id 56CA8D049D for ; Mon, 22 Jan 2001 05:01:55 -0500 (EST) Original-Received: from sina.hpc.uh.edu (lists@Sina.HPC.UH.EDU [129.7.3.5]) by karazm.math.uh.edu (8.9.3/8.9.3) with ESMTP id EAC20100; Mon, 22 Jan 2001 04:01:49 -0600 (CST) Original-Received: by sina.hpc.uh.edu (TLB v0.09a (1.20 tibbs 1996/10/09 22:03:07)); Mon, 22 Jan 2001 04:01:10 -0600 (CST) Original-Received: from mailhost.sclp.com (postfix@66-209.196.61.interliant.com [209.196.61.66] (may be forged)) by sina.hpc.uh.edu (8.9.3/8.9.3) with ESMTP id EAA07950 for ; Mon, 22 Jan 2001 04:00:56 -0600 (CST) Original-Received: from karon.dynas.se (karon.dynas.se [192.71.43.4]) by mailhost.sclp.com (Postfix) with SMTP id 9262DD049D for ; Mon, 22 Jan 2001 05:01:18 -0500 (EST) Original-Received: (qmail 25131 invoked from network); 22 Jan 2001 10:01:17 -0000 Original-Received: from spirit.sto.dynas.se (HELO spirit.dynas.se) (172.16.1.10) by karon.sto.dynas.se with SMTP; 22 Jan 2001 10:01:17 -0000 Original-Received: (qmail 28651 invoked from network); 22 Jan 2001 10:01:17 -0000 Original-Received: from unknown (HELO sjosefsson-pc) (172.16.13.119) by spirit.dynas.se with SMTP; 22 Jan 2001 10:01:17 -0000 Original-To: ding@gnus.org In-Reply-To: <87d7dg2bvl.fsf@tea.thpoon.com> (Arcady Genkin's message of "22 Jan 2001 04:07:42 -0500") Mail-Copies-To: never User-Agent: Gnus/5.090001 (Oort Gnus v0.01) Emacs/21.0.95 Precedence: list X-Majordomo: 1.94.jlt7 Original-Lines: 33 Xref: main.gmane.org gmane.emacs.gnus.general:34361 X-Report-Spam: http://spam.gmane.org/gmane.emacs.gnus.general:34361 Arcady Genkin writes: > I added (nnimap-server-port 993) and (nnimap-stream ssl) to the > backend configuration. In the messages below the line about > ``Plaintext authentication'' is worrying me a bit. Is the password > encrypted? Yes and no -- you're sending a cleartext password to the server, albeit over a encrypted channel (assuming SSL is in fact used). Use `lsof' or `netstat' or similar to find out what connection actually is used. If you don't trust the encrypted network and/or the unauthenticated server enough to handle your cleartext password (rather than using some kind of challenge/response protocol), you should be worried. In practice, your current solution is good for passive attacks (network sniffing) but is still open to active attacks (redirect server hostname or network hijacking). > Also, this might be off-topic, but I wonder where openssl stores the > certificate it retrieves from the server (I'm using a self-signed > certificate). I believe it's only printed to stdout (or maybe stderr). Frob `imap-ssl-program' and add CA certs and verification stuff and the server will be authenticated. This means server hostname redirection or network routing hijacking won't work, but an attack against the mail server itself would still collect your password. The next step would be to not send your password in clear, using CRAM/DIGEST-MD5, Kerberos, STARTTLS with client-certs, Ssh+imapd or whatever.