| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 26 Oct 2005 22:35:27 +1300 From: Jason Haar <Jason.Haar@...mble.co.nz> To: bugtraq@...urityfocus.com Subject: Re: Mozilla Thunderbird SMTP down-negotiation weakness Thomas Henlich wrote: >Sequence of attack > >- S sends EHLO response with STARTTLS advertisement. >- A4 discards S's STARTTLS advertisement. >- PLAIN authentication takes place. >- A4 can read cleartext password. > >RESOLUTION > >For A1-A3 no resolution is known. For A4, set user preference to >enforce TLS. > > > Comment about A4. Thunderbird explicitly allows you "TLS, if available" - which appears to be what you refer to. However, there is a "TLS" - which means only do TLS - and alert if the TLS certificate presented doesn't match a known one (which would happen in a MITM). Are you referring to a bug in their "TLS" mode - or implying that "TLS, if available" is somehow not... what it says it is...??? Doesn't sound like a hole to me. -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Powered by blists - more mailing lists