We have moved to a new Sailfish OS Forum. Please start new discussions there.
23

caldav client vulnerable to SSL MITM attack

asked 2015-01-03 16:04:53 +0200

Bluewind gravatar image

updated 2015-01-03 16:25:07 +0200

Using sslsniff/sslsplit it is possible to mount an SSL MITM attack using a self-signed, untrusted certificate to intercept traffic generated by a caldav account configured on a jolla device. This attack works against newly configured and existing caldav accounts using an https connection.

It has already been publicly noted that self-signed certificates "just work" so I consider this issue publicly known.

Tested on Sailfish OS 1.1.1.27 Vaarainjärvi.

edit retag flag offensive close delete

Comments

Could you please elaborate whether every https-calDAV connection is vulnerable to MITM (so also regular server cert and then a self-signed cert as MITM) or whether this vector is only usable when the server uses a self-signed certificates itself?

sidv ( 2015-01-03 17:28:05 +0200 )edit

I've set up my caldav account before trying any MITM attacks so it should have been set up with the valid cert. While playing around with sslsniff I was asked to re-enter my password; maybe that changed some invisible setting regarding untrusted certs.

That said, this doesn't happen with mail accounts. Those correctly throw a "Certificate issue" error and don't send traffic when under attack. Unless proven otherwise assume that any caldav account is vulnerable.

Bluewind ( 2015-01-03 18:01:14 +0200 )edit

@Bluewind thanks a lot for the clarification. This is indeed a freaking severe issue. I fear CardDAV may be just as affected. I hope we get a hotfix for this...

sidv ( 2015-01-03 19:44:26 +0200 )edit
1

@sidv From a quick look at the code, CardDAV should not be affected. If you test it, please update and let us know.

I agree about the severity. I'll push to get this fixed quickly.

jbrooks ( 2015-01-03 23:35:10 +0200 )edit

1 Answer

Sort by » oldest newest most voted
4

answered 2015-01-03 18:09:04 +0200

tigeli gravatar image

I haven't personally tried this out but I've reported the issue back to our engineers. It should not accept just any cert by default.. and it needs to be fixed if it is so.

edit flag offensive delete publish link more

Comments

2

@tigeli sorry to be pushy but I want to make a point here: if this indeed proves to be a result of making life easier for the folks running self-signed certificates you guys should re-evaluate your strategy w.r.t. these kind of things. I am running self-signed myself for some stuff (i.e., at work in a lab environment before deploying stuff) but I cannot assume these to work out of the box. No matter what some people scream here and elsewhere (and yes, our CA system is a broken implementation which we are trying to fix), if you go self-signed you must expect to hit some road blocks. First and foremost: that it does not work out of the box! After all, the very idea of "self-signing" a certificate breaks the default chain of trust that certificates are built upon!

So, if it should turn out that to make life a little easier for a few people that are unwilling to pay less than $10 per year for a proper certificate (and I don't care if they think they fight the "system" or something along those lines) you jeopardized the security of each and every CalDAV connection from a Jolla (including, but not limited to, passwords, contacts, sensitive personal data, ...) you must issue a hotfix and re-evaluate where your position is between convenience for a few and security for all in the future! Despite that if you manage to self-sign a cert, you should be able to import that (and its "chain of trust") on your devices yourself.

Oh, and you should check if CardDAV is affected as well. I fear this may be the case and this would cause yet another severe data breach...

Again, sorry to be pushy, it just rubs me in a very sore spot that these things happen due to "dumbing things down".

sidv ( 2015-01-03 19:42:40 +0200 )edit
2

@sidv I'm not offended. :) You are correct about that the self-signed certs should not be working out of the box ever and this has not been our intention (it that's the case) at least not on purpose. (For example with email-accounts you will have to check the box to accept the self-signed certs on the settings.)

tigeli ( 2015-01-03 20:20:24 +0200 )edit
1

@tigeli thanks, I really appreciate the work you guys are doing and I am relieved to hear that it was not intentional! My soreness really stems from the fear that you feel pushed by a very vocal part of the user base to make certain decisions that may change things for the worse for the less vocal rest.

Again, thanks for doing what you are doing!

sidv ( 2015-01-03 23:20:07 +0200 )edit

Any updates?

Bluewind ( 2015-02-06 13:33:20 +0200 )edit
1

it's fixed internally for quite some time, MW commit here: https://github.com/nemomobile/buteo-sync-plugin-caldav/commit/f6f4991a94b9dcb9993af78a87c547a5527e3114

VDVsx ( 2015-02-06 13:53:57 +0200 )edit
Login/Signup to Answer

Question tools

Follow
3 followers

Stats

Asked: 2015-01-03 16:04:53 +0200

Seen: 831 times

Last updated: Jan 03 '15