[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#19283: 25.0.50; imap.el with man-in-the-middle vulnerability

From: Jens Lechtenboerger
Subject: bug#19283: 25.0.50; imap.el with man-in-the-middle vulnerability
Date: Fri, 05 Dec 2014 20:38:21 +0100
User-agent: Gnus/5.130012 (Ma Gnus v0.12) Emacs/25.0.50 (gnu/linux)

This is a followup to bug#16978, where I reported multiple MITM

imap.el uses openssl's s_client via imap-ssl-program.

>From the man page:
> The s_client utility is a test tool and is designed to continue
> the handshake after any certificate verification errors. As a
> result it will accept any certificate chain (trusted or not) sent
> by the peer. None test applications should not do this as it makes
> them vulnerable to a MITM attack. This behaviour can be changed by
> with the -verify_return_error option: any verify errors are then
> returned aborting the handshake.

In addition, imap.el only tries SSLv2 and SSLv3, whose end-of-life
might be near.  I cannot access some of my servers at all (as they
only allow TLS).

If the above was fixed, one would still be vulnerable to attacks
with “trusted” certificates.

imap.el should probably use nsm.el.  In the meantime, I continue to
use the following:
(setq imap-ssl-program '("gnutls-cli --strict-tofu -p %p %s"))

Best wishes

reply via email to

[Prev in Thread] Current Thread [Next in Thread]