Re: [LUG] Web based emails

To: "list@xxxxxxxxxxxxx" <list@xxxxxxxxxxxxx>

Subject: Re: [LUG] Web based emails

From: Adrian Midgley <amidgley@xxxxxxxxx>

Date: Sat, 24 Oct 2015 19:38:20 +0100

Delivered-to: dclug@xxxxxxxxxxxxxxxxxxxxx

Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=dcglug.org.uk; s=1444208763; h=Sender:Content-Type:List-Subscribe:List-Help:List-Post:List-Unsubscribe:List-Id:Reply-To:Subject:To:From:Message-ID:Date:References:In-Reply-To:MIME-Version; bh=kysQNb7RmHKkaJkKzVgS7d8rP2r8oYJul1cR4bgoczE=; b=Sw+vTKYQ/IeFe19QfWriP+7en2FDqWZErZkz+6Ks7grDYmRZMCKBwGAU5uj0k+fSgK6orBvIgXACmIuDSgzoDxVweVUU2IYMlMXF0BTenx/hmoXUEl4fO8nX3IrSamvFCR0cRLjZHAwTzkP3xwp9ruKCwyB9mZytApWkXcVtWp0=;

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=i0yMtr+MNfzgdpFkHJl0GrReHJ6iIWe88nzwVgdzUD4=; b=bLj08bOaCzKLlBkB4MKOT5MbRk7Uk++POf0CWHNjisLMXmVAdmJP85XdRFDvGpUVLr bIF6pJswHbc1c9+nDY5zh94oOzTWmxtEz0KzqR+/fr6TH+d7hIZWliWbV8UAODlqnxwd VVouLtxDAL0r2J6iEqScle1CSI/m7jR1STVGP7iI4Ey5NnzwBcoeFCBcwcZAiEFwLkTu 4DNypSYOKK6y2We173o7Vpbd6DqLy/0F7IM3IT0k+lmMnucT2gLLhuxHZ5pmPLYFe1S2 DDHaSB4dMItioxh56VJomAbrSGKN2Qd8AYLF8NQUAuUUY0vlU4mtpenQWD9HRdSQEObX yUEg==

simon@xxxxxxxxxxxxxx

I can assess the behaviour of the two web interfaces and assess those aspects of security without source code. Or simply review past records (see below).

I can assess some aspects of infrastructure, SMTP, IMAP, and password management.Â

Much security testing is black box, even when the source code is available.Â

Source code is handy for static analysis, which is potentially the strongest method, there is only one bit of static analysis of Roundcube I could find Âmentioned publicly (PHP has relatively Âpoor static analysis tools compared to some other languages), and the bugs being reported in RoundCube don't look terribly sophisticated or subtle.

Google on the other hand clearly has far more developed security processes, both from competence of deployment, measures of availability, and the low number of basic vulnerabilities being found across a huge web front end.

On this basis I'm reasonably confident in my assessment.

In fairness because Google do so many other things, it is plausible there are other issues in their environment that could potentially affect an account, but if the account was just for occasional emails this is unlikely to be a big risk. Ultimately you only need one hole that's exploitable.

https://www.cvedetails.com/vulnerability-list/vendor_id-8905/Roundcube.htmlhttps://www.cvedetails.com/vulnerability-list/vendor_id-8905/Roundcube.htm

One important lesson I've learnt is to test yourself (never assumes others have, or did it right). You may not find issues, if brighter folk have been there before (although at work we had 3 issues drop out of widely deployed Wordpress plugins by running vanilla Burpsuite scans over websites with no particular skill on our part, clearly many eyes do not look at Wordpress plugins, if shallow bugs remain), but the very process of looking will tell you if this is a sendmail or a Postfix, a bind 8 or a bind 9.

Although I note our static analysis tools at work give Postfix a "B" (when most of our code gets an "A"). Although I suspect that is more a question of style and complexity than security, since Postfix has been through a lot of static code analysis tools over the years.