On 9/22/10 12:14 PM, Jeffrey Hutzelman wrote: > --On Wednesday, September 22, 2010 12:34:50 PM -0400 Barry Leiba > <barryleiba.mailing.lists@xxxxxxxxx> wrote: > >> There's a distinction, here, between a protocol and a user interface >> for configuration. My mother doesn't know whom to trust, except that >> she knows that she (at least kinda-sorta) trusts the mail program >> she's decided to use, and an entity she calls "gmail" (not >> "google.com", not "gmail.com", but just "gmail"). She's relying to >> the mail program's "easy configuration feature" to sort this out. >> >> The text I reviewed appeared to be saying normative things about what >> client software MUST and MUST NOT do with regard to this sort of >> configuration situation, which goes well beyond what the client >> software is doing on the wire. Unless I'm mis-reading it, it's >> explicitly saying that my client software is not allowed to do >> something like this, for example: >> 1. Ask the user, "What email service do you use?" >> 2. Receive the answer "gmail" from the user. >> 3. Auto-configure itself for the known gmail servers based only on >> that user input. > > I think that's reasonable behavior _if_ the mail client knows that > "gmail" is "mail.google.com". What's _not_ reasonable is for it to > arbitrarily transform "gmail" into a domain by adding ".com", then look > up "gmail.com" and see that it is an alias for "mail.google.com" and not > only follow the (insecure) alias to mail.google.com but also use it to > decide that "mail.google.com" is an appropriate name to find in a > certificate. > > If your mother's mail client does that, then all I have to do to steal > her password is convince said client that "gmail.com" is actually an > alias for "stealgmailpassword.attacker.org". In my experience, some user agents have interface elements such as a drop-down box that lists popular service providers, and the account configuration wizard behaves differently (e.g., asks for different information) depending on which popular service provider the user chooses. Peter -- Peter Saint-Andre https://stpeter.im/ _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf