From: Jeffrey Hutzelman [mailto:jhutz(_at_)cmu(_dot_)edu]
On Thursday, September 07, 2006 08:12:44 PM -0700
"Hallam-Baker, Phillip"
<pbaker(_at_)verisign(_dot_)com> wrote:
The solution to this particular problem is to use SSL as the transport.
IMAP and POP both support this use. It is a trivial matter
to discover
that IMAPS is supported using an SRV record.
Of course, if you depend on this technique to determine
whether TLS should be used, you are subject to a downgrade
attack which not only exposes your password to a dictionary
attack, but also makes it fairly simple for an attacker to
gain access to the server as you _without_ carrying out such
an attack.
How so?
The attacker cannot downgrade the server security, particularly if the server
does not support unencrypted IMAP or POP.
I don't think the lack of support for unencrypted IMAP or POP is quite
sufficient. What's to stop an attacker acting as a MITM (by
publishing a bogus SRV record or whatever) getting an unencypted connection and
turning around and connecting to the server using encryption?
Either a client key check on the server or the client requiring
encyption and checking the server cert will address this, I believe.
If you deploy DNSSEC the downgrade attack can be eliminated.
That prevents one MITM attack vector, but there may be others.
However, just because this and other attacks are real doesn't mean that there's
no security gain from a setup that's subject to downgrade attacks. Often as not
it is far more difficult to mount a MITM attack than it is to mount to perform
passive eavesdropping.
Ned
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf