COMMAND
netscape
SYSTEMS AFFECTED
Netscape 4.7
PROBLEM
Craig Ruefenacht found following. He was playing around with the
Netscape Communicator package, version 4.7, on multiple Microsoft
Windows platforms, including Windows95, Windows98, WindowsNT
workstation, and Windows2000 Server Release Candidate #2. Craig
discovered a couple of things with a utility that comes with the
Netscape Communicator package which could lead a user into a false
sence of security while reading email.
Following was tested on Windows95, Windows98, WindowsNT 4.0
workstation, and Windows2000 Server Release Candidate 2, using
Netscape Communicator 4.7, 128-bit encryption (US strong
encryption version), using both already existing and newly
created Windows users on the Windows box.
First, some history... It is well known throughout the Internet
that the two most common protocols for reading email, POP3 (port
110) and IMAP (port 143), are sent in the clear over the network.
When users use either of these protocols to read email, they send
their email server username and password in the clear over the
network. A malicious person with access to the network where
this traffic flows could sniff that network and obtain the email
username and password of unsuspecting users. Netscape Messenger
is one such email client that lets users use POP3 and IMAP to
read email.
To improve security and prevent email server usernames and
passwords from going over the Internet as clear text, there is
built-in support for using the IMAP protocol over a SSL channel.
When using this setup, information that travels on the Internet
from the user's computer to the email server is encrypted. A
malicious person would have a hard time getting the email username
and password of users using this setup. IMAP over SSL uses port
993, and it requires that, on the server end, you use a SSL
wrapper like stunnel or SSLwrap around the IMAP server to handle
the SSL connection on the server's end. Netscape Messenger,
Microsoft Outlook and Outlook Express (and probably others)
support the IMAP over SSL setup. Now the things discovered...
Netscape Communicator comes with a utility called "Netscape Mail
Notification". The binary is named nsnotify.exe. This utility
program, when run, places a small icon in the shape of an
envelope on the taskbar of Windows95/98/NT/2000. This utility
will go out at specified time intervals to the email server, log
into the email server, and check to see if any new email has
arrived for the user. If new email is detected, a small red flag
is animated on top of the envelope icon to visually let the user
know that new email is waiting to be read. You cannot use this
utility to read email - it is designed to simply let users know
when new email arrives. Many users place this utility in their
Startup group so that it starts up every time they log into
Windows. You should note that it isn't placed there
automatically. During a normal install of Netscape Communicator,
this utility program is placed in
Start->Programs->Wherever_Netscape_Is->Utilities.
This utility program (Netscape Mail Notification) has its own
options that you can set by right-mouse clicking on the envelope
icon once the program is running, but, settings such as the email
server name, email server type, and email server username, it gets
from the preferences found in the Netscape Communicator
preferences settings. This is where Craig discovered some
interesting things.
1. In Netscape Messenger, in
Edit -> Preferences -> Mail_and_Newsgroups -> Mail_Servers,
regardless of whether the user has told Messenger to remember
or not remember their email server password, the Netscape Mail
Notification program will always remember the email server
password for the user. The first time a user runs Netscape
Mail Notification it will ask for their email server password
(it gets the email server hostname, email server type (POP3 or
IMAP), and email server username from Messenger preferences).
It then remembers that password and never asks the user for it
again, even if the user logs out and logs back into Windows,
regardless of whether the user wants it to remember it or not..
For users who are concerned about security and would prefer
that their email client not remember their email server
password (ie they have to type it in every time they start
their email client), if they use Netscape Mail Notification, it
could lead to a false sense of security because Netscape Mail
Notification remembers the user's email server's password
regardless.
2. The other item Craig discovered in Netscape Mail Notification,
and which he feels is a greater problem that #1 above, is that
regardless of whether the user has told Netscape Messenger to
use a SSL connection when retreiving email using IMAP (on port
993), Netscape Mail Notification will always use IMAP without
SSL. Here again Netscape Mail Notification gets the email
server hostname, email server type (POP3 or IMAP), and email
server username from Netscape Messenger preferences, but, if
the user is using IMAP, Netscape Mail Notification fails to use
IMAP over SSL when the user has told Netscape Messenger to
require a SSL connection.
For users who use IMAP over SSL because they don't want their
email server username and password to go over the Internet as
clear text, if that user uses the Netscape Mail Notification
utility to watch for new messages, using IMAP over SSL will
achieve nothing, because Netscape Mail Notification will never
use a SSL connection, and the user's email server username and
password will still be sent in clear text to the email server
every time Netscape Mail Notification goes out to check for new
email.
SOLUTION
With Netscape talking IMAP to the washington.edu daemon, the
username/password are definitely not sent in the clear -- the
server issues a pair of challenges. Perhaps other daemons don't
support challenge authentication...?