42 lines
2.1 KiB
Plaintext
42 lines
2.1 KiB
Plaintext
MBOX-Line: From Pidgeot18 at verizon.net Tue Mar 18 21:13:10 2014
|
|
To: imap-protocol@u.washington.edu
|
|
From: Joshua Cranmer <Pidgeot18@verizon.net>
|
|
Date: Fri Jun 8 12:34:52 2018
|
|
Subject: [Imap-protocol] STARTTLS after PREAUTH
|
|
In-Reply-To: <1395200804.27059.96196209.4345452F@webmail.messagingengine.com>
|
|
References: <20140318141305.Horde.iyy0UP8Ostx9TojRZiFyjw1@bigworm.curecanti.org>
|
|
<059bac1f-35eb-4f87-bd5e-e986dfb46b83@flaska.net>
|
|
<20140318152549.Horde.0C2tXb4vwx_29xt0ZbwdEQ4@bigworm.curecanti.org>
|
|
<1395187453.9897.96141249.7BE88CD8@webmail.messagingengine.com>
|
|
<53290DE4.2020909@verizon.net>
|
|
<1395200804.27059.96196209.4345452F@webmail.messagingengine.com>
|
|
Message-ID: <53291956.90203@verizon.net>
|
|
|
|
On 3/18/2014 10:46 PM, Bron Gondwana wrote:
|
|
> And then it fell back to the Mozilla ISP database, but there's no
|
|
> reason I couldn't have MITMed that and stolen the gmail creds too.
|
|
> Thunderbird is pretty trivially fooled at setup time. Bron.
|
|
The ISP database requires an https connection IIRC, but that's a minor
|
|
detail (I thought autoconfig also required https and not http, but
|
|
again, that's minor).
|
|
|
|
You seem to be coming from the standpoint that a security system that
|
|
can't protect against everything is no better than one that protects
|
|
against most things. Autoconfiguration can be fooled, true (even if
|
|
https were required--we fallback to guessing servers and trying
|
|
commands, so a DNS hijack setup could easily screw it over). But you
|
|
have a 5-second window (and I'm being generous here) to do it. And if
|
|
you miss that chance, you've lost it for another 3 years.
|
|
|
|
It's like ssh: ssh is actually weak to being MITM'd on the first
|
|
connection (based on how people use it): people don't remember the keys,
|
|
so they'll always say "yes" to the question "are you sure this key is
|
|
correct?" Does that mean that ssh provides no protection? Of course
|
|
not--the difficulty of intercepting the ssh connection is made extremely
|
|
harder and makes attackers pour much more resources into doing so.
|
|
|
|
--
|
|
Beware of bugs in the above code; I have only proved it correct, not tried it. -- Donald E. Knuth
|
|
|
|
|