On 28/04/10 14:38 -0300, Reinaldo de Carvalho wrote:
If the hacker owned the server he can - use "tcpdump -s 0 -A | grep --line-buffered -e LOGIN -e USER -e PASS" to get password in next user authentication. - read TLS private key file and look traffic with tcpdump. - read TLS private key from memory. - switch imapd daemon to a version that save user/password on a file.
That's easier than it sounds (in imapd.conf): sasl_auto_transition: 1 sasl_auxprop_plugin: sasldb which would place all shared secrets in the clear, into /etc/sasldb2 or even worse, set sasl_auxprop_plugin to ldapdb or sql and configure it to store the shared secrets somewhere over the network. No need to bother with decrypting the TLS traffic. -- Dan White
