X-Git-Url: http://pileus.org/git/?a=blobdiff_plain;f=fetchmail-SA-2007-01.txt;h=5a09c5b9011b170dddaf4ef8f5de3ba2f80833bf;hb=91b6ab63f35f8f11544b401fced7859d963ad06c;hp=7c224f9344ef9f83c9a4b2fd263e3dad67ca818f;hpb=67e83dd1930726f316e19aef8f45efc9dc4feda3;p=~andy%2Ffetchmail diff --git a/fetchmail-SA-2007-01.txt b/fetchmail-SA-2007-01.txt index 7c224f93..5a09c5b9 100644 --- a/fetchmail-SA-2007-01.txt +++ b/fetchmail-SA-2007-01.txt @@ -1,9 +1,12 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + fetchmail-SA-2007-01: APOP considered insecure -Topics: The POP3/APOP authentication, by itself, is considered broken. +Topics: APOP authentication insecure, fetchmail implementation lax Author: Matthias Andree -Version: 1.0 +Version: 1.1 Announced: 2007-04-06 Type: password theft when under MITM attack Impact: password disclosure possible @@ -24,6 +27,7 @@ Corrected: 2007-03-18 fetchmail SVN ================== 2007-04-06 1.0 first release +2008-04-24 1.1 add --ssl to section 3. suggestion A below 1. Background @@ -44,9 +48,13 @@ control) files for fetchmail. The POP3 standard, currently RFC-1939, has specified an optional, MD5-based authentication scheme called "APOP". -Fetchmail's POP3 client implementation however has happily accepted -random garbage as a POP3 server's APOP challenge, rather than insisting -that the APOP challenge conformed to RFC-822, as required by RFC-1939. +APOP should no longer be considered secure. + +Additionally, fetchmail's POP3 client implementation has been validating +the APOP challenge too lightly and accepted random garbage as a POP3 +server's APOP challenge, rather than insisting that the APOP challenge +conformed to RFC-822, as required by RFC-1939. + This made it easier than necessary for man-in-the-middle attackers to retrieve by several probing and guessing the first three characters of the APOP secret, bringing brute forcing the remaining characters well @@ -60,7 +68,7 @@ Either of these is currently considered sufficient. A. Only use APOP on SSL or TLS secured connections with mandatory and thorough certificate validation, such as fetchmail --sslproto tls1 --sslcertck - or --sslproto ssl3 --sslcertck), or equivalent in the run control file. + or --ssl --sslproto ssl3 --sslcertck), or equivalent in the run control file. B. Avoid APOP and use stronger authenticators. @@ -74,16 +82,32 @@ C. If you must continue to use APOP without SSL/TLS, then install A. Copyright, License and Warranty ================================== -(C) Copyright 2007 by Matthias Andree, . +(C) Copyright 2007, 2008 by Matthias Andree, . Some rights reserved. -This work is licensed under the Creative Commons -Attribution-NonCommercial-NoDerivs German License. To view a copy of -this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/ -or send a letter to Creative Commons; 559 Nathan Abbott Way; -Stanford, California 94305; USA. +This work is licensed under the +Creative Commons Attribution-NoDerivs 3.0 Germany License (CC BY-ND 3.0). + +To view a copy of this license, visit +http://creativecommons.org/licenses/by-nd/3.0/de/deed.en +or send a letter to: + +Creative Commons +444 Castro Street +Suite 900 +MOUNTAIN VIEW, CALIFORNIA 94041 +USA + THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES. Use the information herein at your own risk. END OF fetchmail-SA-2007-01.txt + +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.11 (GNU/Linux) + +iEYEARECAAYFAk9/Yg4ACgkQvmGDOQUufZVn6wCgkC9pMA9HxXG6lgbgoixd73Tn +Cz4AoKG+qB47vhGdXSTDDXDFgMDrMJ24 +=BKzz +-----END PGP SIGNATURE-----