** Description changed: Recently, we are trying to find SSL security problems by static anaylsis. For example, Hostname verification is an important step when verifying X509 certificates, however, people tend to miss the step or to misunderstand the APIs when using SSL/TLS, which might cause severe man in the middle attack and break the entire TLS mechanism. During the experiment, we find that xface4-mailwatch-plugin didn't check whether the hostname matches the name in the SSL certificate and the expired date of the certificate.The followind is details: 1. - function: /scrollz-2.1/source/server.c login_to_server() + function: /xfce4-mailwatch-plugin-1.1.0/libmailwatch-core/mailwatchnet-conn.c + xfce_mailwatch_net_conn_make_secure() problem: Hostname verification missing 2. - function: /scrollz-2.1/source/server.c login_to_server() + function: /xfce4-mailwatch-plugin-1.1.0/libmailwatch-core/mailwatchnet-conn.c + xfce_mailwatch_net_conn_make_secure() problem: expired date check missing To verify the result, we attack the software manually: 一.Hostname verification 1. write the file /etc/hosts in order to simulate DNS hijack: 64.32.24.176 irc.mibbit.net 46.137.23.30 chat.freenode.net (PS:exchange the ip between these two irc servers) 2. connecting chat.freenode.net with scrollz /server -ssl irc.mibbit.net:6697 3. result : we connected irc.mibbit.net!! The fetch succeeded, indicating srcollz didn't check the hostname against the signee of the certificate. 二. Also for expired time check, 1. change the system time to 2200 to guarantee the certificate to be expired. 2. run scrollz to connect a normal irc server, such as irc.mibbit.net(46.137.12.30) 3. result : connect succeed!! The fetch succeeded again and no warning was given, indicating scrollz didn't check whether the certificate expired or not. I am running scrollz 2.1-1.1 in ubuntu 14.04 LTS. for more information about the importance of checking hostname: see http://people.stfx.ca/x2011/x2011ucj/SSL/p38-georgiev.pdf Thanks.
** Description changed: Recently, we are trying to find SSL security problems by static anaylsis. For example, Hostname verification is an important step when verifying X509 certificates, however, people tend to miss the step or to misunderstand the APIs when using SSL/TLS, which might cause severe man in the middle attack and break the entire TLS mechanism. During the experiment, we find that xface4-mailwatch-plugin didn't check whether the hostname matches the name in the SSL certificate and the expired date of the certificate.The followind is details: 1. function: /xfce4-mailwatch-plugin-1.1.0/libmailwatch-core/mailwatchnet-conn.c - xfce_mailwatch_net_conn_make_secure() + xfce_mailwatch_net_conn_make_secure() problem: Hostname verification missing 2. function: /xfce4-mailwatch-plugin-1.1.0/libmailwatch-core/mailwatchnet-conn.c - xfce_mailwatch_net_conn_make_secure() + xfce_mailwatch_net_conn_make_secure() problem: expired date check missing To verify the result, we attack the software manually: 一.Hostname verification - 1. write the file /etc/hosts in order to simulate DNS hijack: - 64.32.24.176 irc.mibbit.net - 46.137.23.30 chat.freenode.net - (PS:exchange the ip between these two irc servers) + 1.configure xface4-mailwatch-plugin: + IMAP(SSL) :imap.163.com + Username : 598105904 + Password : <Your password> + Advanced: Use SSL/TLS on alternate port - 2. connecting chat.freenode.net with scrollz - /server -ssl irc.mibbit.net:6697 + 2. change /etc/hosts in order to simulate the DNS hijack + 113.108.16.116 imap.163.com + (113.108.16.116 is QQ’s imap server) - 3. result : we connected irc.mibbit.net!! + 3. run xfce4-mailwatch-plugin to fetch the mail - The fetch succeeded, indicating srcollz didn't check the hostname + 4. result : succeed!!! + + The fetch succeeded, indicating the software didn't check the hostname against the signee of the certificate. 二. Also for expired time check, 1. change the system time to 2200 to guarantee the certificate to be expired. 2. run scrollz to connect a normal irc server, such as irc.mibbit.net(46.137.12.30) 3. result : connect succeed!! - The fetch succeeded again and no warning was given, indicating scrollz - didn't check whether the certificate expired or not. + The fetch succeeded again and no warning was given, indicating the + software didn't check whether the certificate expired or not. I am running scrollz 2.1-1.1 in ubuntu 14.04 LTS. for more information about the importance of checking hostname: see http://people.stfx.ca/x2011/x2011ucj/SSL/p38-georgiev.pdf Thanks. ** Description changed: Recently, we are trying to find SSL security problems by static anaylsis. For example, Hostname verification is an important step when verifying X509 certificates, however, people tend to miss the step or to misunderstand the APIs when using SSL/TLS, which might cause severe man in the middle attack and break the entire TLS mechanism. During the experiment, we find that xface4-mailwatch-plugin didn't check whether the hostname matches the name in the SSL certificate and the expired date of the certificate.The followind is details: 1. function: /xfce4-mailwatch-plugin-1.1.0/libmailwatch-core/mailwatchnet-conn.c xfce_mailwatch_net_conn_make_secure() problem: Hostname verification missing 2. function: /xfce4-mailwatch-plugin-1.1.0/libmailwatch-core/mailwatchnet-conn.c xfce_mailwatch_net_conn_make_secure() problem: expired date check missing To verify the result, we attack the software manually: 一.Hostname verification 1.configure xface4-mailwatch-plugin: - IMAP(SSL) :imap.163.com - Username : 598105904 - Password : <Your password> - Advanced: Use SSL/TLS on alternate port + IMAP(SSL) :imap.163.com + Username : 598105904 + Password : <Your password> + Advanced: Use SSL/TLS on alternate port 2. change /etc/hosts in order to simulate the DNS hijack - 113.108.16.116 imap.163.com - (113.108.16.116 is QQ’s imap server) + 113.108.16.116 imap.163.com + (113.108.16.116 is QQ’s imap server) 3. run xfce4-mailwatch-plugin to fetch the mail 4. result : succeed!!! The fetch succeeded, indicating the software didn't check the hostname against the signee of the certificate. 二. Also for expired time check, 1. change the system time to 2200 to guarantee the certificate to be expired. - 2. run scrollz to connect a normal irc server, such as irc.mibbit.net(46.137.12.30) - 3. result : connect succeed!! - The fetch succeeded again and no warning was given, indicating the - software didn't check whether the certificate expired or not. + 2. run xfce4-mailwatch-plugin to fetch the mail. + + 3. result:succeed!! + + + The fetch succeeded again and no warning was given, indicating the software didn't check whether the certificate expired or not. I am running scrollz 2.1-1.1 in ubuntu 14.04 LTS. for more information about the importance of checking hostname: see http://people.stfx.ca/x2011/x2011ucj/SSL/p38-georgiev.pdf Thanks. ** Description changed: Recently, we are trying to find SSL security problems by static anaylsis. For example, Hostname verification is an important step when verifying X509 certificates, however, people tend to miss the step or to misunderstand the APIs when using SSL/TLS, which might cause severe man in the middle attack and break the entire TLS mechanism. During the experiment, we find that xface4-mailwatch-plugin didn't check whether the hostname matches the name in the SSL certificate and the expired date of the certificate.The followind is details: 1. function: /xfce4-mailwatch-plugin-1.1.0/libmailwatch-core/mailwatchnet-conn.c xfce_mailwatch_net_conn_make_secure() problem: Hostname verification missing 2. function: /xfce4-mailwatch-plugin-1.1.0/libmailwatch-core/mailwatchnet-conn.c xfce_mailwatch_net_conn_make_secure() problem: expired date check missing To verify the result, we attack the software manually: 一.Hostname verification 1.configure xface4-mailwatch-plugin: - IMAP(SSL) :imap.163.com - Username : 598105904 - Password : <Your password> - Advanced: Use SSL/TLS on alternate port + IMAP(SSL) :imap.163.com + Username : 598105904 + Password : <Your password> + Advanced: Use SSL/TLS on alternate port 2. change /etc/hosts in order to simulate the DNS hijack - 113.108.16.116 imap.163.com + 113.108.16.116 imap.163.com (113.108.16.116 is QQ’s imap server) 3. run xfce4-mailwatch-plugin to fetch the mail 4. result : succeed!!! The fetch succeeded, indicating the software didn't check the hostname against the signee of the certificate. 二. Also for expired time check, 1. change the system time to 2200 to guarantee the certificate to be expired. 2. run xfce4-mailwatch-plugin to fetch the mail. 3. result:succeed!! + The fetch succeeded again and no warning was given, indicating the + software didn't check whether the certificate expired or not. - The fetch succeeded again and no warning was given, indicating the software didn't check whether the certificate expired or not. - - I am running scrollz 2.1-1.1 in ubuntu 14.04 LTS. + I am running xface4-mailwatch-plugin 1.2.0-1 in ubuntu 14.04 LTS. for more information about the importance of checking hostname: see http://people.stfx.ca/x2011/x2011ucj/SSL/p38-georgiev.pdf Thanks. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1376595 Title: xface4-mailwatch-plugin have some SSL security problems To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xfce4-mailwatch-plugin/+bug/1376595/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
