[40895] in bugtraq
Re: Mozilla Thunderbird SMTP down-negotiation weakness
daemon@ATHENA.MIT.EDU (Jason Haar)
Wed Oct 26 12:59:31 2005
Message-ID: <435F4DDF.2060905@trimble.co.nz>
Date: Wed, 26 Oct 2005 22:35:27 +1300
From: Jason Haar <Jason.Haar@trimble.co.nz>
MIME-Version: 1.0
To: bugtraq@securityfocus.com
In-Reply-To: <435E11CA.6080406@henlich.de>
Content-Type: text/plain; charset=ISO-8859-15; format=flowed
Content-Transfer-Encoding: 7bit
Thomas Henlich wrote:
>Sequence of attack
>
>- S sends EHLO response with STARTTLS advertisement.
>- A4 discards S's STARTTLS advertisement.
>- PLAIN authentication takes place.
>- A4 can read cleartext password.
>
>RESOLUTION
>
>For A1-A3 no resolution is known. For A4, set user preference to
>enforce TLS.
>
>
>
Comment about A4.
Thunderbird explicitly allows you "TLS, if available" - which appears to
be what you refer to. However, there is a "TLS" - which means only do
TLS - and alert if the TLS certificate presented doesn't match a known
one (which would happen in a MITM).
Are you referring to a bug in their "TLS" mode - or implying that "TLS,
if available" is somehow not... what it says it is...???
Doesn't sound like a hole to me.
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
