[RndTbl] MitM on IMAPS?
Adam Thompson
athompso at athompso.net
Sat Jan 18 10:11:18 CST 2014
Short answer: not in any practical way.
Medium answer: yes, but someone would have to surreptitiously obtain physical control of your phone long enough to install a new root CA. (See Sean's answer)
Longer answer: of course it's theoretically possible, but the attacker would have to compromise a CA that you already trust. Sadly, this isn't as outlandish a prospect as it should be, but it's still extremely unlikely. I don't know how often Samsung or Google removes known-compromised CAs from the trust list, if ever, so I can't say how large the potential exposure is. On the other hand, the only way you'd be caught by something like that would be as part of a very large, very sophisticated operation that was doing it to *everyone*.
You can issue your own certificate, signed against your own CA, and "just" ensure your own CA is imported into every client you use... I wouldn't bother, but it's an option.
-Adam
On Jan 18, 2014 3:37 AM, Trevor Cordes <trevor at tecnopolis.ca> wrote:
>
> I'm just wondering if it is possible for someone to MitM me in the
> following scenario and intercept plaintext traffic:
>
> dovecot imaps server with real thawte "quick" cert
> |
> imaps (ssl)
> |
> public wifi
> |
> android phone using imaps using "ssl" not "ssl (any cert)" option
>
>
> For instance, can a malicious hotspot use some sort of interception
> technique / spoofing and some sort of wildcard cert to trick my phone into
> negotiating SSL with it, which then does its own SSL to my dovecot server,
> thus MitM'ing me without me even knowing? I know in a web browser I'd
> normally be protected against that by looking at the URL in the address
> bar, or the green EV-cert graphics (or am I wrong in even that
> assumption)?
>
> How paranoid do I have to be? And is there any way to beat any
> shortcoming on Android, perhaps with a client cert or a way to tie the
> account to a single manually-specified server SSL cert?
> _______________________________________________
> Roundtable mailing list
> Roundtable at muug.mb.ca
> http://www.muug.mb.ca/mailman/listinfo/roundtable
More information about the Roundtable
mailing list