Craig Ruefenacht wrote: > > Hi, > > Over the last week I've been playing around with the Netscape > Communicator package, version 4.7, on multiple Microsoft Windows > platforms, including Windows95, Windows98, WindowsNT workstation, and > Windows2000 Server Release Candidate #2. I have discovered a couple of > things with a utility that comes with the Netscape Communicator package > which could lead a user into a false sence of security while reading > email. > > I have tested the issues I describe in this email on Windows95, > Windows98, WindowsNT 4.0 workstation, and Windows2000 Server Release > Candidate 2, using Netscape Communicator 4.7, 128-bit encryption (US > strong encryption version), using both already existing and newly > created Windows users on the Windows box. I have reported the issues > described in this email to Netscape a few days ago but haven't heard > back from them yet. > > First, some history... > > It is well known throughout the Internet that the two most common > protocols for reading email, POP3 (port 110) and IMAP (port 143), are > sent in the clear over the network. When users use either of these > protocols to read email, they send their email server username and > password in the clear over the network. A malicious person with access > to the network where this traffic flows could sniff that network and > obtain the email username and password of unsuspecting users. Netscape > Messenger is one such email client that lets users use POP3 and IMAP to > read email. > > To improve security and prevent email server usernames and passwords > from going over the Internet as clear text, there is built-in support > for using the IMAP protocol over a SSL channel. When using this setup, > information that travels on the Internet from the user's computer to the > email server is encrypted. A malicious person would have a hard time > getting the email username and password of users using this setup. IMAP > over SSL uses port 993, and it requires that, on the server end, you use > a SSL wrapper like stunnel or SSLwrap around the IMAP server to handle > the SSL connection on the server's end. Netscape Messenger, Microsoft > Outlook and Outlook Express (and probably others) support the IMAP over > SSL setup. > > Now the things I've discovered... > > Netscape Communicator comes with a utility called "Netscape Mail > Notification". The binary is named nsnotify.exe. This utility program, > when run, places a small icon in the shape of an envelope on the taskbar > of Windows95/98/NT/2000. This utility will go out at specified time > intervals to the email server, log into the email server, and check to > see if any new email has arrived for the user. If new email is > detected, a small red flag is animated on top of the envelope icon to > visually let the user know that new email is waiting to be read. You > cannot use this utility to read email - it is designed to simply let > users know when new email arrives. Many users place this utility in > their Startup group so that it starts up every time they log into > Windows. You should note that it isn't placed there automatically. > During a normal install of Netscape Communicator, this utility program > is placed in Start->Programs->Wherever_Netscape_Is->Utilities. > > This utility program (Netscape Mail Notification) has its own options > that you can set by right-mouse clicking on the envelope icon once the > program is running, but, settings such as the email server name, email > server type, and email server username, it gets from the preferences > found in the Netscape Communicator preferences settings. This is where > I discovered some interesting things. > > ---------------------------------------------- > 1. In Netscape Messenger, in > Edit->Preferences->Mail_and_Newsgroups->Mail_Servers, regardless of > whether the user has told Messenger to remember or not remember their > email server password, the Netscape Mail Notification program will > always remember the email server password for the user. The first time > a user runs Netscape Mail Notification it will ask for their email > server password (it gets the email server hostname, email server type > (POP3 or IMAP), and email server username from Messenger preferences). > It then remembers that password and never asks the user for it again, > even if the user logs out and logs back into Windows, regardless of > whether the user wants it to remember it or not.. > > For users who are concerned about security and would prefer that their > email client not remember their email server password (ie they have to > type it in every time they start their email client), if they use > Netscape Mail Notification, it could lead to a false sense of security > because Netscape Mail Notification remembers the user's email server's > password regardless. > > ---------------------------------------------- > 2. The other item I discovered in Netscape Mail Notification, and which > I feel is a greater problem that #1 above, is that regardless of whether > the user has told Netscape Messenger to use a SSL connection when > retreiving email using IMAP (on port 993), Netscape Mail Notification > will always use IMAP without SSL. Here again Netscape Mail Notification > gets the email server hostname, email server type (POP3 or IMAP), and > email server username from Netscape Messenger preferences, but, if the > user is using IMAP, Netscape Mail Notification fails to use IMAP over > SSL when the user has told Netscape Messenger to require a SSL > connection. > > For users who use IMAP over SSL because they don't want their email > server username and password to go over the Internet as clear text, if > that user uses the Netscape Mail Notification utility to watch for new > messages, using IMAP over SSL will achieve nothing, because Netscape > Mail Notification will never use a SSL connection, and the user's email > server username and password will still be sent in clear text to the > email server every time Netscape Mail Notification goes out to check for > new email. With Netscape talking IMAP to the washington.edu daemon, the username/password are definitely not sent in the clear -- the server issues a pair of challenges. Perhaps other daemons don't support challenge authentication...? It's been a long time since I looked at the IMAP RFC, but I seem to recall that IMAP supports multiple authentication mechanisms. -- Jefferson Ogata <jogataat_private> National Oceanographic Data Center You can't step into the same river twice. -- Herakleitos
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:29:00 PDT