Automatic encryption of stored messages
Reinaldo de Carvalho
reinaldoc at gmail.com
Wed Apr 28 14:10:11 EDT 2010
On Wed, Apr 28, 2010 at 2:52 PM, Dan White <dwhite at olp.net> wrote:
> On 28/04/10 14:38 -0300, Reinaldo de Carvalho wrote:
>>
>> If the hacker owned the server he can
>> - use "tcpdump -s 0 -A | grep --line-buffered -e LOGIN -e USER -e
>> PASS" to get password in next user authentication.
>> - read TLS private key file and look traffic with tcpdump.
>> - read TLS private key from memory.
>> - switch imapd daemon to a version that save user/password on a file.
>
> That's easier than it sounds (in imapd.conf):
>
> sasl_auto_transition: 1
> sasl_auxprop_plugin: sasldb
>
> which would place all shared secrets in the clear, into /etc/sasldb2
>
> or even worse, set sasl_auxprop_plugin to ldapdb or sql and configure it to
> store the shared secrets somewhere over the network. No need to bother with
> decrypting the TLS traffic.
>
Creativity has no limit :)
--
Reinaldo de Carvalho
http://korreio.sf.net
http://python-cyrus.sf.net
"Don't try to adapt the software to the way you work, but rather
yourself to the way the software works" (myself)
More information about the Cyrus-sasl
mailing list