[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#19283: 25.0.50; imap.el with man-in-the-middle vulnerability
|
From: |
Jens Lechtenboerger |
|
Subject: |
bug#19283: 25.0.50; imap.el with man-in-the-middle vulnerability |
|
Date: |
Fri, 05 Dec 2014 20:38:21 +0100 |
|
User-agent: |
Gnus/5.130012 (Ma Gnus v0.12) Emacs/25.0.50 (gnu/linux) |
This is a followup to bug#16978, where I reported multiple MITM
issues.
imap.el uses openssl's s_client via imap-ssl-program.
>From the man page:
> The s_client utility is a test tool and is designed to continue
> the handshake after any certificate verification errors. As a
> result it will accept any certificate chain (trusted or not) sent
> by the peer. None test applications should not do this as it makes
> them vulnerable to a MITM attack. This behaviour can be changed by
> with the -verify_return_error option: any verify errors are then
> returned aborting the handshake.
In addition, imap.el only tries SSLv2 and SSLv3, whose end-of-life
might be near. I cannot access some of my servers at all (as they
only allow TLS).
If the above was fixed, one would still be vulnerable to attacks
with “trusted” certificates.
imap.el should probably use nsm.el. In the meantime, I continue to
use the following:
(setq imap-ssl-program '("gnutls-cli --strict-tofu -p %p %s"))
Best wishes
Jens
- bug#19283: 25.0.50; imap.el with man-in-the-middle vulnerability,
Jens Lechtenboerger <=