Slashdot Mirror

← Back to Stories (view on slashdot.org)

Zimbra Desktop Vulnerable to Man-in-the-Middle Attack

Posted by timothy on from the imperfect-world dept.

tiffanydanica writes "For all the flack Mozilla gets about its new security warnings for https sites, at least it warns the user when a mismatch occurs. Sadly the new Yahoo! Zimbra Desktop (released in part to fix some security issues), doesn't bother validating the SSL certificate on the other side before sending along the username and password, making it vulnerable to a man-in-the-middle attack. This is certainly a step up from transmitting the information in the clear, since the attacker must switch from being passive to active, but with all of the DNS security problems, it would be fairly trivial for a malicious attacker to grab a large number of Yahoo! accounts (be it for phishing or spaming). Hopefully this issue will get fixed shortly, but for now Yahoo! Zimbra Desktop users may wish to use the webmail interface."

9 of 49 comments (clear)

  1. Re:Phorm reads your Email? by Sorthum · · Score: 3, Informative

    The first post is redundant? Odd.

    Anyhoo, no-- Phorm couldn't read it unless they're attempting to MITM SSL by default-- which would get the living crap sued out of them by just about everbody...

  2. Re:man in the middle by aussie_a · · Score: 2, Informative

    So a man in the middle would decompile the program, change the address it goes to, then recompile it, and that's going to be stopped if it used HTTPS?

    I do realise man-in-the-middle attacks are possible. But what you described certainly isn't one.

  3. Re:man in the middle by x_MeRLiN_x · · Score: 4, Informative

    As aussie_a said, what you describe is in no way similar to a man-in-the-middle attack. 'MITM' refers to be the ability to eavesdrop on and forge network traffic. Fake login pages is part of 'phishing'.

    http://en.wikipedia.org/wiki/Man-in-the-middle_attack
    http://en.wikipedia.org/wiki/Phishing

  4. Re:man in the middle by wirelessbuzzers · · Score: 4, Informative

    How do you just jump in the middle of someone's connection?

    There are a number of ways to do it. You can:

    • Be the victim's ISP.
    • Run an open wireless AP.
    • Break WEP or WPA (there's a known flaw in that too, now, at least if you use RC4).
    • Hack or spoof the victim's router.
    • Mess with the victim's DHCP.
    • Spoof mobile IPv6.
    • Several other attacks on a hub network.
    • ARP spoofing.
    • BGP spoofing.
    • Poison DNS caches.
    • Exploit the Kaminski flaw.

    There are probably a few other ways to do it, but that's all off the top of my head.

    --
    I hereby place the above post in the public domain.
  5. Re:man in the middle by Gnavpot · · Score: 1, Informative

    As aussie_a said, what you describe is in no way similar to a man-in-the-middle attack. 'MITM' refers to be the ability to eavesdrop on and forge network traffic. Fake login pages is part of 'phishing'.

    Phishing does not exclude MITM attacks.

    If the phishing site acts as a proxy to the real site - as described by the GP - it IS a MITM attack.

  6. Re:Firefox error messages by iammani · · Score: 2, Informative

    2. They look like errors. They're not errors, they're warnings.

    A bad SSL certificate is an error. These types of rationalization are simply born of outright laziness coupled with gross ineptitude.

    Especially since you can even get free ssl certificates from people like http://www.startssl.com/?app=1

  7. Re:Responsible disclosure? by Cow+Jones · · Score: 4, Informative

    You have to give the vendor at least a chance to get the bug fixed.

    No, you don't. For all we know, some black-hat hacker may have already found this vulnerability and be actively exploiting it.

    It's the same old discussion every time. There are arguments for and against releasing vulnerabilities without notifying the vendor in advance, I know, but from a developer's standpoint (and from a user's), it's preferrable to give at least a grace period before releasing the details.

    The advantages of releasing immediately are:

    • Users can be told about possible workarounds.
    • There's a better chance of the vendor releasing a patch/fix in a timely manner.
    • You can show off your l33t zero-day skillz.

    The disadvantages are:

    • Any black-hat who hadn't noticed the problem now knows about it and can write an exploit.
    • The entire user base is immediately at risk from script kiddies. If there was no exploit of the bug in the wild, there soon will be.
    • The vendor does not get time to send a security alert and workaround instructions to its registered users or to its security mailing list.
    • The vendor may have to rush the bugfix release before proper testing and QA is complete.

    In this specific case, the Zimbra users are definitely worse off, unless they happen to read Holden Karau's blog (or Slashdot).
    But maybe Holden will get his t-shirt now, so that's ok.

    CJ

    --

    Ah, arrogance and stupidity, all in the same package. How efficient of you. -- Londo Mollari
  8. Re:man in the middle by Anonymous Coward · · Score: 0, Informative

    SSL certs are fucking worthless. vericrap issue them and are a default CA in IE, yet it's been shown they make zero effort to authenticate who you are as long as you pay them the cash.

  9. Re:Local http proxy? by gomoX · · Score: 2, Informative

    Most proxies just forward HTTPS traffic because they can't do anything else (they can't read the contents of the messages!).

    Technically you could verify the authenticity of the public key proposed by the host (or MitM) because IIRC at that point the communication isn't encrypted yet, but I don't know if there's personal proxying software that can do this.

    --
    My english is sow-sow. Sowhat?