Automatic encryption of stored messages

Dan White dwhite at olp.net
Wed Apr 28 13:52:37 EDT 2010


On 28/04/10 14:38 -0300, Reinaldo de Carvalho wrote:
>If the hacker owned the server he can
>- use "tcpdump -s 0 -A | grep --line-buffered -e LOGIN -e USER -e
>PASS" to get password in next user authentication.
>- read TLS private key file and look traffic with tcpdump.
>- read TLS private key from memory.
>- switch imapd daemon to a version that save user/password on a file.

That's easier than it sounds (in imapd.conf):

sasl_auto_transition: 1
sasl_auxprop_plugin: sasldb

which would place all shared secrets in the clear, into /etc/sasldb2

or even worse, set sasl_auxprop_plugin to ldapdb or sql and configure it to
store the shared secrets somewhere over the network. No need to bother with
decrypting the TLS traffic.

-- 
Dan White


More information about the Cyrus-sasl mailing list