Automatic encryption of stored messages
Dan White
dwhite at olp.net
Wed Apr 28 13:52:37 EDT 2010
On 28/04/10 14:38 -0300, Reinaldo de Carvalho wrote:
>If the hacker owned the server he can
>- use "tcpdump -s 0 -A | grep --line-buffered -e LOGIN -e USER -e
>PASS" to get password in next user authentication.
>- read TLS private key file and look traffic with tcpdump.
>- read TLS private key from memory.
>- switch imapd daemon to a version that save user/password on a file.
That's easier than it sounds (in imapd.conf):
sasl_auto_transition: 1
sasl_auxprop_plugin: sasldb
which would place all shared secrets in the clear, into /etc/sasldb2
or even worse, set sasl_auxprop_plugin to ldapdb or sql and configure it to
store the shared secrets somewhere over the network. No need to bother with
decrypting the TLS traffic.
--
Dan White
More information about the Cyrus-sasl
mailing list