Zimbra Desktop Vulnerable to Man-in-the-Middle Attack 49
tiffanydanica writes "For all the flack Mozilla gets about its new security warnings for https sites, at least it warns the user when a mismatch occurs. Sadly the new Yahoo! Zimbra Desktop (released in part to fix some security issues), doesn't bother validating the SSL certificate on the other side before sending along the username and password, making it vulnerable to a man-in-the-middle attack. This is certainly a step up from transmitting the information in the clear, since the attacker must switch from being passive to active, but with all of the DNS security problems, it would be fairly trivial for a malicious attacker to grab a large number of Yahoo! accounts (be it for phishing or spaming). Hopefully this issue will get fixed shortly, but for now Yahoo! Zimbra Desktop users may wish to use the webmail interface."
Re:Phorm reads your Email? (Score:4, Informative)
The first post is redundant? Odd.
Anyhoo, no-- Phorm couldn't read it unless they're attempting to MITM SSL by default-- which would get the living crap sued out of them by just about everbody...
Re:man in the middle (Score:3, Informative)
So a man in the middle would decompile the program, change the address it goes to, then recompile it, and that's going to be stopped if it used HTTPS?
I do realise man-in-the-middle attacks are possible. But what you described certainly isn't one.
Re:man in the middle (Score:5, Informative)
As aussie_a said, what you describe is in no way similar to a man-in-the-middle attack. 'MITM' refers to be the ability to eavesdrop on and forge network traffic. Fake login pages is part of 'phishing'.
http://en.wikipedia.org/wiki/Man-in-the-middle_attack [wikipedia.org]
http://en.wikipedia.org/wiki/Phishing [wikipedia.org]
Re:man in the middle (Score:5, Informative)
How do you just jump in the middle of someone's connection?
There are a number of ways to do it. You can:
There are probably a few other ways to do it, but that's all off the top of my head.
Re:man in the middle (Score:2, Informative)
Phishing does not exclude MITM attacks.
If the phishing site acts as a proxy to the real site - as described by the GP - it IS a MITM attack.
Re:Firefox error messages (Score:2, Informative)
2. They look like errors. They're not errors, they're warnings.
A bad SSL certificate is an error. These types of rationalization are simply born of outright laziness coupled with gross ineptitude.
Especially since you can even get free ssl certificates from people like http://www.startssl.com/?app=1 [startssl.com]
Re:Responsible disclosure? (Score:5, Informative)
You have to give the vendor at least a chance to get the bug fixed.
No, you don't. For all we know, some black-hat hacker may have already found this vulnerability and be actively exploiting it.
It's the same old discussion every time. There are arguments for and against releasing vulnerabilities without notifying the vendor in advance, I know, but from a developer's standpoint (and from a user's), it's preferrable to give at least a grace period before releasing the details.
The advantages of releasing immediately are:
The disadvantages are:
In this specific case, the Zimbra users are definitely worse off, unless they happen to read Holden Karau's blog (or Slashdot).
But maybe Holden will get his t-shirt now, so that's ok.
CJ
Re:man in the middle (Score:0, Informative)
Re:Local http proxy? (Score:3, Informative)
Most proxies just forward HTTPS traffic because they can't do anything else (they can't read the contents of the messages!).
Technically you could verify the authenticity of the public key proposed by the host (or MitM) because IIRC at that point the communication isn't encrypted yet, but I don't know if there's personal proxying software that can do this.