iphone email client does not validate ssl certificates

Info:

iPod/iPhone standard e-mail application does not validate SSL certificates
and is vulnerable to a MITM (man in the middle attack).

Vulnerable: All versions.

Discovered by: William Borskey wborskey@gmail.com

Discussion:

The mail application that ships with the iPod/iPhone does not validate SSL
certificates. A malicious user can use software such as ettercap-ng to sniff
email passwords without the application warning the victim that the
certificate may be invalid.

Exploit:

This flaw can be exploited with ettercap-ng.


Replies to this exploit:

From: Pavel Machek pavel@ucw.cz
Sent: Sat 26. Sep 2009 11:54
Hi!

> iPod/iPhone standard e-mail application does not validate SSL certificates
> and is vulnerable to a MITM (man in the middle attack).
> 
> Vulnerable: All versions.

Well... mujmail.org email client also does not validate ssl
cerificates -- optionaly. Reasoning is that SSL with unverified
certificate is still better than sending plaintext passwords.

Does that count as a vulnerability?
								Pavel

-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html


From: Steve Shockley steve.shockley@shockley.net
Sent: Mon 28. Sep 2009 21:27
On 9/26/2009 5:54 AM, Pavel Machek wrote:
> Well... mujmail.org email client also does not validate ssl
> cerificates -- optionaly. Reasoning is that SSL with unverified
> certificate is still better than sending plaintext passwords.
>
> Does that count as a vulnerability?

Yes; its not that difficult for someone on the same network segment to 
proxy all your traffic, and if you dont check your certificate then you 
might as well have sent it plaintext.

If you dont want to buy a cert, then set up your own mini-CA and 
install the CA root cert on your client.


From: Pavel Machek pavel@ucw.cz
Sent: Sat 26. Sep 2009 11:54
Hi!

> iPod/iPhone standard e-mail application does not validate SSL certificates
> and is vulnerable to a MITM (man in the middle attack).
> 
> Vulnerable: All versions.

Well... mujmail.org email client also does not validate ssl
cerificates -- optionaly. Reasoning is that SSL with unverified
certificate is still better than sending plaintext passwords.

Does that count as a vulnerability?
								Pavel

-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html


From: Steve Shockley steve.shockley@shockley.net
Sent: Mon 28. Sep 2009 21:27
On 9/26/2009 5:54 AM, Pavel Machek wrote:
> Well... mujmail.org email client also does not validate ssl
> cerificates -- optionaly. Reasoning is that SSL with unverified
> certificate is still better than sending plaintext passwords.
>
> Does that count as a vulnerability?

Yes; its not that difficult for someone on the same network segment to 
proxy all your traffic, and if you dont check your certificate then you 
might as well have sent it plaintext.

If you dont want to buy a cert, then set up your own mini-CA and 
install the CA root cert on your client.


From: Pavel Machek pavel@ucw.cz
Sent: Sat 26. Sep 2009 11:54
Hi!

> iPod/iPhone standard e-mail application does not validate SSL certificates
> and is vulnerable to a MITM (man in the middle attack).
> 
> Vulnerable: All versions.

Well... mujmail.org email client also does not validate ssl
cerificates -- optionaly. Reasoning is that SSL with unverified
certificate is still better than sending plaintext passwords.

Does that count as a vulnerability?
								Pavel

-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html


From: Steve Shockley steve.shockley@shockley.net
Sent: Mon 28. Sep 2009 21:27
On 9/26/2009 5:54 AM, Pavel Machek wrote:
> Well... mujmail.org email client also does not validate ssl
> cerificates -- optionaly. Reasoning is that SSL with unverified
> certificate is still better than sending plaintext passwords.
>
> Does that count as a vulnerability?

Yes; its not that difficult for someone on the same network segment to 
proxy all your traffic, and if you dont check your certificate then you 
might as well have sent it plaintext.

If you dont want to buy a cert, then set up your own mini-CA and 
install the CA root cert on your client.


From: Pavel Machek pavel@ucw.cz
Sent: Sat 26. Sep 2009 11:54
Hi!

> iPod/iPhone standard e-mail application does not validate SSL certificates
> and is vulnerable to a MITM (man in the middle attack).
> 
> Vulnerable: All versions.

Well... mujmail.org email client also does not validate ssl
cerificates -- optionaly. Reasoning is that SSL with unverified
certificate is still better than sending plaintext passwords.

Does that count as a vulnerability?
								Pavel

-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html


From: Steve Shockley steve.shockley@shockley.net
Sent: Mon 28. Sep 2009 21:27
On 9/26/2009 5:54 AM, Pavel Machek wrote:
> Well... mujmail.org email client also does not validate ssl
> cerificates -- optionaly. Reasoning is that SSL with unverified
> certificate is still better than sending plaintext passwords.
>
> Does that count as a vulnerability?

Yes; its not that difficult for someone on the same network segment to 
proxy all your traffic, and if you dont check your certificate then you 
might as well have sent it plaintext.

If you dont want to buy a cert, then set up your own mini-CA and 
install the CA root cert on your client.


From: Pavel Machek pavel@ucw.cz
Sent: Sat 26. Sep 2009 11:54
Hi!

> iPod/iPhone standard e-mail application does not validate SSL certificates
> and is vulnerable to a MITM (man in the middle attack).
> 
> Vulnerable: All versions.

Well... mujmail.org email client also does not validate ssl
cerificates -- optionaly. Reasoning is that SSL with unverified
certificate is still better than sending plaintext passwords.

Does that count as a vulnerability?
								Pavel

-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html


From: Steve Shockley steve.shockley@shockley.net
Sent: Mon 28. Sep 2009 21:27
On 9/26/2009 5:54 AM, Pavel Machek wrote:
> Well... mujmail.org email client also does not validate ssl
> cerificates -- optionaly. Reasoning is that SSL with unverified
> certificate is still better than sending plaintext passwords.
>
> Does that count as a vulnerability?

Yes; its not that difficult for someone on the same network segment to 
proxy all your traffic, and if you dont check your certificate then you 
might as well have sent it plaintext.

If you dont want to buy a cert, then set up your own mini-CA and 
install the CA root cert on your client.


From: Pavel Machek pavel@ucw.cz
Sent: Sat 26. Sep 2009 11:54
Hi!

> iPod/iPhone standard e-mail application does not validate SSL certificates
> and is vulnerable to a MITM (man in the middle attack).
> 
> Vulnerable: All versions.

Well... mujmail.org email client also does not validate ssl
cerificates -- optionaly. Reasoning is that SSL with unverified
certificate is still better than sending plaintext passwords.

Does that count as a vulnerability?
								Pavel

-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html


From: Steve Shockley steve.shockley@shockley.net
Sent: Mon 28. Sep 2009 21:27
On 9/26/2009 5:54 AM, Pavel Machek wrote:
> Well... mujmail.org email client also does not validate ssl
> cerificates -- optionaly. Reasoning is that SSL with unverified
> certificate is still better than sending plaintext passwords.
>
> Does that count as a vulnerability?

Yes; its not that difficult for someone on the same network segment to 
proxy all your traffic, and if you dont check your certificate then you 
might as well have sent it plaintext.

If you dont want to buy a cert, then set up your own mini-CA and 
install the CA root cert on your client.


From: Pavel Machek pavel@ucw.cz
Sent: Sat 26. Sep 2009 11:54
Hi!

> iPod/iPhone standard e-mail application does not validate SSL certificates
> and is vulnerable to a MITM (man in the middle attack).
> 
> Vulnerable: All versions.

Well... mujmail.org email client also does not validate ssl
cerificates -- optionaly. Reasoning is that SSL with unverified
certificate is still better than sending plaintext passwords.

Does that count as a vulnerability?
								Pavel

-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html


From: Steve Shockley steve.shockley@shockley.net
Sent: Mon 28. Sep 2009 21:27
On 9/26/2009 5:54 AM, Pavel Machek wrote:
> Well... mujmail.org email client also does not validate ssl
> cerificates -- optionaly. Reasoning is that SSL with unverified
> certificate is still better than sending plaintext passwords.
>
> Does that count as a vulnerability?

Yes; its not that difficult for someone on the same network segment to 
proxy all your traffic, and if you dont check your certificate then you 
might as well have sent it plaintext.

If you dont want to buy a cert, then set up your own mini-CA and 
install the CA root cert on your client.


From: Pavel Machek pavel@ucw.cz
Sent: Sat 26. Sep 2009 11:54
Hi!

> iPod/iPhone standard e-mail application does not validate SSL certificates
> and is vulnerable to a MITM (man in the middle attack).
> 
> Vulnerable: All versions.

Well... mujmail.org email client also does not validate ssl
cerificates -- optionaly. Reasoning is that SSL with unverified
certificate is still better than sending plaintext passwords.

Does that count as a vulnerability?
								Pavel

-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html


From: Steve Shockley steve.shockley@shockley.net
Sent: Mon 28. Sep 2009 21:27
On 9/26/2009 5:54 AM, Pavel Machek wrote:
> Well... mujmail.org email client also does not validate ssl
> cerificates -- optionaly. Reasoning is that SSL with unverified
> certificate is still better than sending plaintext passwords.
>
> Does that count as a vulnerability?

Yes; its not that difficult for someone on the same network segment to 
proxy all your traffic, and if you dont check your certificate then you 
might as well have sent it plaintext.

If you dont want to buy a cert, then set up your own mini-CA and 
install the CA root cert on your client.


From: Pavel Machek pavel@ucw.cz
Sent: Sat 26. Sep 2009 11:54
Hi!

> iPod/iPhone standard e-mail application does not validate SSL certificates
> and is vulnerable to a MITM (man in the middle attack).
> 
> Vulnerable: All versions.

Well... mujmail.org email client also does not validate ssl
cerificates -- optionaly. Reasoning is that SSL with unverified
certificate is still better than sending plaintext passwords.

Does that count as a vulnerability?
								Pavel

-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html


From: Steve Shockley steve.shockley@shockley.net
Sent: Mon 28. Sep 2009 21:27
On 9/26/2009 5:54 AM, Pavel Machek wrote:
> Well... mujmail.org email client also does not validate ssl
> cerificates -- optionaly. Reasoning is that SSL with unverified
> certificate is still better than sending plaintext passwords.
>
> Does that count as a vulnerability?

Yes; its not that difficult for someone on the same network segment to 
proxy all your traffic, and if you dont check your certificate then you 
might as well have sent it plaintext.

If you dont want to buy a cert, then set up your own mini-CA and 
install the CA root cert on your client.


From: Pavel Machek pavel@ucw.cz
Sent: Sat 26. Sep 2009 11:54
Hi!

> iPod/iPhone standard e-mail application does not validate SSL certificates
> and is vulnerable to a MITM (man in the middle attack).
> 
> Vulnerable: All versions.

Well... mujmail.org email client also does not validate ssl
cerificates -- optionaly. Reasoning is that SSL with unverified
certificate is still better than sending plaintext passwords.

Does that count as a vulnerability?
								Pavel

-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html


From: Steve Shockley steve.shockley@shockley.net
Sent: Mon 28. Sep 2009 21:27
On 9/26/2009 5:54 AM, Pavel Machek wrote:
> Well... mujmail.org email client also does not validate ssl
> cerificates -- optionaly. Reasoning is that SSL with unverified
> certificate is still better than sending plaintext passwords.
>
> Does that count as a vulnerability?

Yes; its not that difficult for someone on the same network segment to 
proxy all your traffic, and if you dont check your certificate then you 
might as well have sent it plaintext.

If you dont want to buy a cert, then set up your own mini-CA and 
install the CA root cert on your client.


From: Pavel Machek pavel@ucw.cz
Sent: Sat 26. Sep 2009 11:54
Hi!

> iPod/iPhone standard e-mail application does not validate SSL certificates
> and is vulnerable to a MITM (man in the middle attack).
> 
> Vulnerable: All versions.

Well... mujmail.org email client also does not validate ssl
cerificates -- optionaly. Reasoning is that SSL with unverified
certificate is still better than sending plaintext passwords.

Does that count as a vulnerability?
								Pavel

-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html


From: Steve Shockley steve.shockley@shockley.net
Sent: Mon 28. Sep 2009 21:27
On 9/26/2009 5:54 AM, Pavel Machek wrote:
> Well... mujmail.org email client also does not validate ssl
> cerificates -- optionaly. Reasoning is that SSL with unverified
> certificate is still better than sending plaintext passwords.
>
> Does that count as a vulnerability?

Yes; its not that difficult for someone on the same network segment to 
proxy all your traffic, and if you dont check your certificate then you 
might as well have sent it plaintext.

If you dont want to buy a cert, then set up your own mini-CA and 
install the CA root cert on your client.


From: Pavel Machek pavel@ucw.cz
Sent: Sat 26. Sep 2009 11:54
Hi!

> iPod/iPhone standard e-mail application does not validate SSL certificates
> and is vulnerable to a MITM (man in the middle attack).
> 
> Vulnerable: All versions.

Well... mujmail.org email client also does not validate ssl
cerificates -- optionaly. Reasoning is that SSL with unverified
certificate is still better than sending plaintext passwords.

Does that count as a vulnerability?
								Pavel

-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html


From: Steve Shockley steve.shockley@shockley.net
Sent: Mon 28. Sep 2009 21:27
On 9/26/2009 5:54 AM, Pavel Machek wrote:
> Well... mujmail.org email client also does not validate ssl
> cerificates -- optionaly. Reasoning is that SSL with unverified
> certificate is still better than sending plaintext passwords.
>
> Does that count as a vulnerability?

Yes; its not that difficult for someone on the same network segment to 
proxy all your traffic, and if you dont check your certificate then you 
might as well have sent it plaintext.

If you dont want to buy a cert, then set up your own mini-CA and 
install the CA root cert on your client.


From: Pavel Machek pavel@ucw.cz
Sent: Sat 26. Sep 2009 11:54
Hi!

> iPod/iPhone standard e-mail application does not validate SSL certificates
> and is vulnerable to a MITM (man in the middle attack).
> 
> Vulnerable: All versions.

Well... mujmail.org email client also does not validate ssl
cerificates -- optionaly. Reasoning is that SSL with unverified
certificate is still better than sending plaintext passwords.

Does that count as a vulnerability?
								Pavel

-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html


From: Steve Shockley steve.shockley@shockley.net
Sent: Mon 28. Sep 2009 21:27
On 9/26/2009 5:54 AM, Pavel Machek wrote:
> Well... mujmail.org email client also does not validate ssl
> cerificates -- optionaly. Reasoning is that SSL with unverified
> certificate is still better than sending plaintext passwords.
>
> Does that count as a vulnerability?

Yes; its not that difficult for someone on the same network segment to 
proxy all your traffic, and if you dont check your certificate then you 
might as well have sent it plaintext.

If you dont want to buy a cert, then set up your own mini-CA and 
install the CA root cert on your client.


From: Pavel Machek pavel@ucw.cz
Sent: Sat 26. Sep 2009 11:54
Hi!

> iPod/iPhone standard e-mail application does not validate SSL certificates
> and is vulnerable to a MITM (man in the middle attack).
> 
> Vulnerable: All versions.

Well... mujmail.org email client also does not validate ssl
cerificates -- optionaly. Reasoning is that SSL with unverified
certificate is still better than sending plaintext passwords.

Does that count as a vulnerability?
								Pavel

-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html


From: Steve Shockley steve.shockley@shockley.net
Sent: Mon 28. Sep 2009 21:27
On 9/26/2009 5:54 AM, Pavel Machek wrote:
> Well... mujmail.org email client also does not validate ssl
> cerificates -- optionaly. Reasoning is that SSL with unverified
> certificate is still better than sending plaintext passwords.
>
> Does that count as a vulnerability?

Yes; its not that difficult for someone on the same network segment to 
proxy all your traffic, and if you dont check your certificate then you 
might as well have sent it plaintext.

If you dont want to buy a cert, then set up your own mini-CA and 
install the CA root cert on your client.


From: Pavel Machek pavel@ucw.cz
Sent: Sat 26. Sep 2009 11:54
Hi!

> iPod/iPhone standard e-mail application does not validate SSL certificates
> and is vulnerable to a MITM (man in the middle attack).
> 
> Vulnerable: All versions.

Well... mujmail.org email client also does not validate ssl
cerificates -- optionaly. Reasoning is that SSL with unverified
certificate is still better than sending plaintext passwords.

Does that count as a vulnerability?
								Pavel

-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html


From: Steve Shockley steve.shockley@shockley.net
Sent: Mon 28. Sep 2009 21:27
On 9/26/2009 5:54 AM, Pavel Machek wrote:
> Well... mujmail.org email client also does not validate ssl
> cerificates -- optionaly. Reasoning is that SSL with unverified
> certificate is still better than sending plaintext passwords.
>
> Does that count as a vulnerability?

Yes; its not that difficult for someone on the same network segment to 
proxy all your traffic, and if you dont check your certificate then you 
might as well have sent it plaintext.

If you dont want to buy a cert, then set up your own mini-CA and 
install the CA root cert on your client.


From: Pavel Machek pavel@ucw.cz
Sent: Sat 26. Sep 2009 11:54
Hi!

> iPod/iPhone standard e-mail application does not validate SSL certificates
> and is vulnerable to a MITM (man in the middle attack).
> 
> Vulnerable: All versions.

Well... mujmail.org email client also does not validate ssl
cerificates -- optionaly. Reasoning is that SSL with unverified
certificate is still better than sending plaintext passwords.

Does that count as a vulnerability?
								Pavel

-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html


From: Steve Shockley steve.shockley@shockley.net
Sent: Mon 28. Sep 2009 21:27
On 9/26/2009 5:54 AM, Pavel Machek wrote:
> Well... mujmail.org email client also does not validate ssl
> cerificates -- optionaly. Reasoning is that SSL with unverified
> certificate is still better than sending plaintext passwords.
>
> Does that count as a vulnerability?

Yes; its not that difficult for someone on the same network segment to 
proxy all your traffic, and if you dont check your certificate then you 
might as well have sent it plaintext.

If you dont want to buy a cert, then set up your own mini-CA and 
install the CA root cert on your client.