[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 15/10/14 07:48, Martijn Grooten wrote: > > I do think attacking IMAP/POP3 is pretty difficult though, thus making > the issue a lot less urgent than on web browsers and servers. Yes, web servers are all done. Browsers are more mixed.... Firefox: about:config, "security.tls.min.version 1" ( 1 = "TLSv1.0", whilst there search for "rc4" if you are really paranoid, and disable those ciphers). Chrome needs command line arguments for everything. Google say they will disable it, but the latest Chrome release was catching up with Adobe Flash issues. Chrome also isn't doing revocation checking, but does has an XSS auditor, you pays your money and takes your choice. I run Firefox without Flash or Java where it matters most to me, and have hardened the TLS settings, and some others, but lets not kid ourselves it is still hideously vulnerable. I'm taking the opportunity to ditch SSLv3 from everything. Various recommendations were saying it is old, and a bit rough around the edges, so this issue is good opportunity to bury it. Fortunately I'd done IMAP4S and POP3S, so I got stunnel working with regular protocols easily enough. Not sure from description how hard it is to exploit in other protocols. Sounds like it would need a contrived situation to make it work against mail protocols, but I can imagine if you can force repeated sending of an email (or repeated fetching of emails?), it might be possible to use a similar attack to reveal email credential, but probably by that point most attackers have what they need (new spam source), since you've probably already sent 100,000s of emails. Not sure what impact date/time stamps and the like have, but fairly sure with the details out there it will be ripped open quickly if there is a way. -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq