meli
/
wasm-demo
4
Fork 0
Code Issues Pull Requests Releases Wiki Activity
wasm-demo/demo/ermis-f/imap-protocol/cur/1600095033.22641.mbox:2,S

42 lines
2.1 KiB
Plaintext
Raw Permalink Blame History

MBOX-Line: From Pidgeot18 at verizon.net Tue Mar 18 21:13:10 2014
To: imap-protocol@u.washington.edu
From: Joshua Cranmer <Pidgeot18@verizon.net>
Date: Fri Jun 8 12:34:52 2018
Subject: [Imap-protocol] STARTTLS after PREAUTH
In-Reply-To: <1395200804.27059.96196209.4345452F@webmail.messagingengine.com>
References: <20140318141305.Horde.iyy0UP8Ostx9TojRZiFyjw1@bigworm.curecanti.org>
<059bac1f-35eb-4f87-bd5e-e986dfb46b83@flaska.net>
<20140318152549.Horde.0C2tXb4vwx_29xt0ZbwdEQ4@bigworm.curecanti.org>
<1395187453.9897.96141249.7BE88CD8@webmail.messagingengine.com>
<53290DE4.2020909@verizon.net>
<1395200804.27059.96196209.4345452F@webmail.messagingengine.com>
Message-ID: <53291956.90203@verizon.net>
On 3/18/2014 10:46 PM, Bron Gondwana wrote:
> And then it fell back to the Mozilla ISP database, but there's no
> reason I couldn't have MITMed that and stolen the gmail creds too.
> Thunderbird is pretty trivially fooled at setup time. Bron.
The ISP database requires an https connection IIRC, but that's a minor
detail (I thought autoconfig also required https and not http, but
again, that's minor).
You seem to be coming from the standpoint that a security system that
can't protect against everything is no better than one that protects
against most things. Autoconfiguration can be fooled, true (even if
https were required--we fallback to guessing servers and trying
commands, so a DNS hijack setup could easily screw it over). But you
have a 5-second window (and I'm being generous here) to do it. And if
you miss that chance, you've lost it for another 3 years.
It's like ssh: ssh is actually weak to being MITM'd on the first
connection (based on how people use it): people don't remember the keys,
so they'll always say "yes" to the question "are you sure this key is
correct?" Does that mean that ssh provides no protection? Of course
not--the difficulty of intercepting the ssh connection is made extremely
harder and makes attackers pour much more resources into doing so.
--
Beware of bugs in the above code; I have only proved it correct, not tried it. -- Donald E. Knuth
Reference in New Issue View Git Blame Copy Permalink