Bugtraq mailing list archives
Re: Mozilla Thunderbird SMTP down-negotiation weakness
From: Bob Beck <beck () bofh cns ualberta ca>
Date: Wed, 26 Oct 2005 15:09:51 -0600
The "TLS, if available" option is common to most MUAs and is a serious security problem.
As is every other mainstream application of TLS/SSL I've ever seen coded into a mainstream application. Don't just pick on Thunderbird for it - applications using TLS/SSL typically make MITM easy by design, rather than difficult. Sit you your faviorite wireless network and MITM your faviorite ssl web sites off it. If your user population is very intelligent, maybe only 9 out of 10 will click the "Windows is annoying me with a box and an OK button - I will click OK to keep going" popup and ignore the certificate mismatch utterly. Otherwise the only hard part will be finding a user that doesn't ignore the mismatch - it's so easy to get passwords this way it isn't even sporting. It's like whacking baby seals with a stick. SSL/TLS applications are just the latest most fertile ground where software designers have put in a crutches for lazy stupid people thereby rendering something kinda ok into something mostly useless. -Bob -- Bob Beck AICT beck () bofh ucs ualberta ca University of Alberta if ((not 0 && not 1)!=(!0 && !1)){print "I want what Larry and Tom smoke!\n";}
Current thread:
- Mozilla Thunderbird SMTP down-negotiation weakness Thomas Henlich (Oct 25)
- Re: Mozilla Thunderbird SMTP down-negotiation weakness Jason Haar (Oct 26)
- Re: Mozilla Thunderbird SMTP down-negotiation weakness Tony Finch (Oct 26)
- Re: Mozilla Thunderbird SMTP down-negotiation weakness Bob Beck (Oct 29)
- Re: Mozilla Thunderbird SMTP down-negotiation weakness Jason Haar (Oct 29)
- Re: Mozilla Thunderbird SMTP down-negotiation weakness Tony Finch (Oct 26)
- Re: Mozilla Thunderbird SMTP down-negotiation weakness Jason Haar (Oct 26)