Zimbra Desktop Vulnerable to Man-in-the-Middle Attack 49
tiffanydanica writes "For all the flack Mozilla gets about its new security warnings for https sites, at least it warns the user when a mismatch occurs. Sadly the new Yahoo! Zimbra Desktop (released in part to fix some security issues), doesn't bother validating the SSL certificate on the other side before sending along the username and password, making it vulnerable to a man-in-the-middle attack. This is certainly a step up from transmitting the information in the clear, since the attacker must switch from being passive to active, but with all of the DNS security problems, it would be fairly trivial for a malicious attacker to grab a large number of Yahoo! accounts (be it for phishing or spaming). Hopefully this issue will get fixed shortly, but for now Yahoo! Zimbra Desktop users may wish to use the webmail interface."
Responsible disclosure? (Score:2, Insightful)
First of all, I don't see any reason why this would be on the Slashdot front page. Many vulnerabilities like this one are discovered every day, and many are more critical and interesting, and concern products that are more widely used than Zimbra. Just take a look at Bugtraq [securityfocus.com] to see a few samples.
More importantly, we shouldn't promote any random blogger who posts about security vulnerabilities to get t-shirts from Yahoo:
There's such a thing as responsible disclosure, and that's not blogging happily about everything you find, on a Friday no less, and then mentioning in passing that "At the time of the writing Yahoo! security has been notified." You have to give the vendor at least a chance to get the bug fixed.
CJ
Re:Firefox error messages (Score:2, Insightful)
Firefox gets criticised for its new warnings because:
1. The old mis-match warnings were just fine unless the user doesn't read warnings, in which case the new ones won't help anyway.
If you want to work around the certificate error, you more or less have to read the text. Arbitrarily clicking the "go away" button does not do what you would expect. Even once you choose to add an exception, you have to manually press a button to choose to download the certificate, and THEN enable the exception.
2. They look like errors. They're not errors, they're warnings.
A bad SSL certificate is an error. These types of rationalization are simply born of outright laziness coupled with gross ineptitude.
3. Why can't it just present the page as insecure (no padlock) by default?
It would still say 'https'. Why can't administrators just use non-broken certificates?
Re:Firefox error messages (Score:2, Insightful)
Firefox gets criticised for its new warnings because:
1. The old mis-match warnings were just fine unless the user doesn't read warnings, in which case the new ones won't help anyway.
2. They look like errors. They're not errors, they're warnings.
You can't have it both ways - those two points are contradictory. If they look like an error, then someone who doesn't read them will think they're an error and stop - they'll hit the Home button or whatever. That saved the non-warning-reader from being phished.
3. Why can't it just present the page as insecure (no padlock) by default?
Because it's not a big enough clue that you're being attacked by an active man-in-the-middle (e.g. Kaminsky DNS attack). People will miss it - after all, they went to their bank via their bookmark as usual, they're expecting it to be secure. You want a big full-screen "you are being hacked!" warning.