Hi, Over the last week I've been playing around with the Netscape Communicator package, version 4.7, on multiple Microsoft Windows platforms, including Windows95, Windows98, WindowsNT workstation, and Windows2000 Server Release Candidate #2. I have discovered a couple of things with a utility that comes with the Netscape Communicator package which could lead a user into a false sence of security while reading email. I have tested the issues I describe in this email on Windows95, Windows98, WindowsNT 4.0 workstation, and Windows2000 Server Release Candidate 2, using Netscape Communicator 4.7, 128-bit encryption (US strong encryption version), using both already existing and newly created Windows users on the Windows box. I have reported the issues described in this email to Netscape a few days ago but haven't heard back from them yet. First, some history... It is well known throughout the Internet that the two most common protocols for reading email, POP3 (port 110) and IMAP (port 143), are sent in the clear over the network. When users use either of these protocols to read email, they send their email server username and password in the clear over the network. A malicious person with access to the network where this traffic flows could sniff that network and obtain the email username and password of unsuspecting users. Netscape Messenger is one such email client that lets users use POP3 and IMAP to read email. To improve security and prevent email server usernames and passwords from going over the Internet as clear text, there is built-in support for using the IMAP protocol over a SSL channel. When using this setup, information that travels on the Internet from the user's computer to the email server is encrypted. A malicious person would have a hard time getting the email username and password of users using this setup. IMAP over SSL uses port 993, and it requires that, on the server end, you use a SSL wrapper like stunnel or SSLwrap around the IMAP server to handle the SSL connection on the server's end. Netscape Messenger, Microsoft Outlook and Outlook Express (and probably others) support the IMAP over SSL setup. Now the things I've discovered... Netscape Communicator comes with a utility called "Netscape Mail Notification". The binary is named nsnotify.exe. This utility program, when run, places a small icon in the shape of an envelope on the taskbar of Windows95/98/NT/2000. This utility will go out at specified time intervals to the email server, log into the email server, and check to see if any new email has arrived for the user. If new email is detected, a small red flag is animated on top of the envelope icon to visually let the user know that new email is waiting to be read. You cannot use this utility to read email - it is designed to simply let users know when new email arrives. Many users place this utility in their Startup group so that it starts up every time they log into Windows. You should note that it isn't placed there automatically. During a normal install of Netscape Communicator, this utility program is placed in Start->Programs->Wherever_Netscape_Is->Utilities. This utility program (Netscape Mail Notification) has its own options that you can set by right-mouse clicking on the envelope icon once the program is running, but, settings such as the email server name, email server type, and email server username, it gets from the preferences found in the Netscape Communicator preferences settings. This is where I discovered some interesting things. ---------------------------------------------- 1. In Netscape Messenger, in Edit->Preferences->Mail_and_Newsgroups->Mail_Servers, regardless of whether the user has told Messenger to remember or not remember their email server password, the Netscape Mail Notification program will always remember the email server password for the user. The first time a user runs Netscape Mail Notification it will ask for their email server password (it gets the email server hostname, email server type (POP3 or IMAP), and email server username from Messenger preferences). It then remembers that password and never asks the user for it again, even if the user logs out and logs back into Windows, regardless of whether the user wants it to remember it or not.. For users who are concerned about security and would prefer that their email client not remember their email server password (ie they have to type it in every time they start their email client), if they use Netscape Mail Notification, it could lead to a false sense of security because Netscape Mail Notification remembers the user's email server's password regardless. ---------------------------------------------- 2. The other item I discovered in Netscape Mail Notification, and which I feel is a greater problem that #1 above, is that regardless of whether the user has told Netscape Messenger to use a SSL connection when retreiving email using IMAP (on port 993), Netscape Mail Notification will always use IMAP without SSL. Here again Netscape Mail Notification gets the email server hostname, email server type (POP3 or IMAP), and email server username from Netscape Messenger preferences, but, if the user is using IMAP, Netscape Mail Notification fails to use IMAP over SSL when the user has told Netscape Messenger to require a SSL connection. For users who use IMAP over SSL because they don't want their email server username and password to go over the Internet as clear text, if that user uses the Netscape Mail Notification utility to watch for new messages, using IMAP over SSL will achieve nothing, because Netscape Mail Notification will never use a SSL connection, and the user's email server username and password will still be sent in clear text to the email server every time Netscape Mail Notification goes out to check for new email. -- ------------------------------------------------------------- Craig Ruefenacht Systems Engineer ruefenacat_private Digital Signature Trust (801) 983-4401 http://www.digsigtrust.com/ -------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:28:04 PDT