On Wed, Apr 28, 2010 at 2:52 PM, Dan White <dwhite@xxxxxxx> wrote: > On 28/04/10 14:38 -0300, Reinaldo de Carvalho wrote: >> >> If the hacker owned the server he can >> - use "tcpdump -s 0 -A | grep --line-buffered -e LOGIN -e USER -e >> PASS" to get password in next user authentication. >> - read TLS private key file and look traffic with tcpdump. >> - read TLS private key from memory. >> - switch imapd daemon to a version that save user/password on a file. > > That's easier than it sounds (in imapd.conf): > > sasl_auto_transition: 1 > sasl_auxprop_plugin: sasldb > > which would place all shared secrets in the clear, into /etc/sasldb2 > > or even worse, set sasl_auxprop_plugin to ldapdb or sql and configure it to > store the shared secrets somewhere over the network. No need to bother with > decrypting the TLS traffic. > Creativity has no limit :) -- Reinaldo de Carvalho http://korreio.sf.net http://python-cyrus.sf.net "Don't try to adapt the software to the way you work, but rather yourself to the way the software works" (myself)
