[13432] in bugtraq

home help back first fref pref prev next nref lref last post

Re: Misleading sense of security in Netscape

daemon@ATHENA.MIT.EDU (Jefferson Ogata)
Wed Jan 19 13:55:52 2000

Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id:  <3884BFD4.BF20B30D@nodc.noaa.gov>
Date:         Tue, 18 Jan 2000 14:32:36 -0500
Reply-To: jogata@NODC.NOAA.GOV
From: Jefferson Ogata <jogata@NODC.NOAA.GOV>
X-To:         BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM

Craig Ruefenacht wrote:
>
> Hi,
>
> Over the last week I've been playing around with the Netscape
> Communicator package, version 4.7, on multiple Microsoft Windows
> platforms, including Windows95, Windows98, WindowsNT workstation, and
> Windows2000 Server Release Candidate #2.  I have discovered a couple of
> things with a utility that comes with the Netscape Communicator package
> which could lead a user into a false sence of security while reading
> email.
>
> I have tested the issues I describe in this email on Windows95,
> Windows98, WindowsNT 4.0 workstation, and Windows2000 Server Release
> Candidate 2, using Netscape Communicator 4.7, 128-bit encryption (US
> strong encryption version), using both already existing and newly
> created Windows users on the Windows box.  I have reported the issues
> described in this email to Netscape a few days ago but haven't heard
> back from them yet.
>
> First, some history...
>
> It is well known throughout the Internet that the two most common
> protocols for reading email, POP3 (port 110) and IMAP (port 143), are
> sent in the clear over the network.  When users use either of these
> protocols to read email, they send their email server username and
> password in the clear over the network.  A malicious person with access
> to the network where this traffic flows could sniff that network and
> obtain the email username and password of unsuspecting users.  Netscape
> Messenger is one such email client that lets users use POP3 and IMAP to
> read email.
>
> To improve security and prevent email server usernames and passwords
> from going over the Internet as clear text, there is built-in support
> for using the IMAP protocol over a SSL channel.  When using this setup,
> information that travels on the Internet from the user's computer to the
> email server is encrypted.  A malicious person would have a hard time
> getting the email username and password of users using this setup.  IMAP
> over SSL uses port 993, and it requires that, on the server end, you use
> a SSL wrapper like stunnel or SSLwrap around the IMAP server to handle
> the SSL connection on the server's end.  Netscape Messenger, Microsoft
> Outlook and Outlook Express (and probably others) support the IMAP over
> SSL setup.
>
> Now the things I've discovered...
>
> Netscape Communicator comes with a utility called "Netscape Mail
> Notification".  The binary is named nsnotify.exe.  This utility program,
> when run, places a small icon in the shape of an envelope on the taskbar
> of Windows95/98/NT/2000.  This utility will go out at specified time
> intervals to the email server, log into the email server, and check to
> see if any new email has arrived for the user.  If new email is
> detected, a small red flag is animated on top of the envelope icon to
> visually let the user know that new email is waiting to be read.  You
> cannot use this utility to read email - it is designed to simply let
> users know when new email arrives.  Many users place this utility in
> their Startup group so that it starts up every time they log into
> Windows.  You should note that it isn't placed there automatically.
> During a normal install of Netscape Communicator, this utility program
> is placed in Start->Programs->Wherever_Netscape_Is->Utilities.
>
> This utility program (Netscape Mail Notification) has its own options
> that you can set by right-mouse clicking on the envelope icon once the
> program is running, but, settings such as the email server name, email
> server type, and email server username, it gets from the preferences
> found in the Netscape Communicator preferences settings.  This is where
> I discovered some interesting things.
>
> ----------------------------------------------
> 1. In Netscape Messenger, in
> Edit->Preferences->Mail_and_Newsgroups->Mail_Servers, regardless of
> whether the user has told Messenger to remember or not remember their
> email server password, the Netscape Mail Notification program will
> always remember the email server password for the user.  The first time
> a user runs Netscape Mail Notification it will ask for their email
> server password (it gets the email server hostname, email server type
> (POP3 or IMAP), and email server username from Messenger preferences).
> It then remembers that password and never asks the user for it again,
> even if the user logs out and logs back into Windows, regardless of
> whether the user wants it to remember it or not..
>
> For users who are concerned about security and would prefer that their
> email client not remember their email server password (ie they have to
> type it in every time they start their email client), if they use
> Netscape Mail Notification, it could lead to a false sense of security
> because Netscape Mail Notification remembers the user's email server's
> password regardless.
>
> ----------------------------------------------
> 2. The other item I discovered in Netscape Mail Notification, and which
> I feel is a greater problem that #1 above, is that regardless of whether
> the user has told Netscape Messenger to use a SSL connection when
> retreiving email using IMAP (on port 993), Netscape Mail Notification
> will always use IMAP without SSL.  Here again Netscape Mail Notification
> gets the email server hostname, email server type (POP3 or IMAP), and
> email server username from Netscape Messenger preferences, but, if the
> user is using IMAP, Netscape Mail Notification fails to use IMAP over
> SSL when the user has told Netscape Messenger to require a SSL
> connection.
>
> For users who use IMAP over SSL because they don't want their email
> server username and password to go over the Internet as clear text, if
> that user uses the Netscape Mail Notification utility to watch for new
> messages, using IMAP over SSL will achieve nothing, because Netscape
> Mail Notification will never use a SSL connection, and the user's email
> server username and password will still be sent in clear text to the
> email server every time Netscape Mail Notification goes out to check for
> new email.

With Netscape talking IMAP to the washington.edu daemon, the username/password
are definitely not sent in the clear -- the server issues a pair of challenges.
Perhaps other daemons don't support challenge authentication...? It's been a
long time since I looked at the IMAP RFC, but I seem to recall that IMAP
supports multiple authentication mechanisms.

--
Jefferson Ogata <jogata@nodc.noaa.gov> National Oceanographic Data Center
You can't step into the same river twice. -- Herakleitos

home help back first fref pref prev next nref lref last post