[RndTbl] MitM on IMAPS?

Adam Thompson athompso at athompso.net
Sat Jan 18 10:11:18 CST 2014 

Short answer: not in any practical way.

Medium answer: yes, but someone would have to surreptitiously obtain physical control of your phone long enough to install a new root CA.  (See Sean's answer)

Longer answer: of course it's theoretically possible, but the attacker would have to compromise a CA that you already trust.  Sadly, this isn't as outlandish a prospect as it should be, but it's still extremely unlikely.  I don't know how often Samsung or Google removes known-compromised CAs from the trust list, if ever, so I can't say how large the potential exposure is.  On the other hand, the only way you'd be caught by something like that would be as part of a very large, very sophisticated operation that was doing it to *everyone*.

You can issue your own certificate, signed against your own CA, and "just" ensure your own CA is imported into every client you use... I wouldn't bother, but it's an option.

-Adam

On Jan 18, 2014 3:37 AM, Trevor Cordes <trevor at tecnopolis.ca> wrote:
>
> I'm just wondering if it is possible for someone to MitM me in the 
> following scenario and intercept plaintext traffic: 
>
> dovecot imaps server with real thawte "quick" cert 
> | 
> imaps (ssl) 
> | 
> public wifi 
> | 
> android phone using imaps using "ssl" not "ssl (any cert)" option 
>
>
> For instance, can a malicious hotspot use some sort of interception 
> technique / spoofing and some sort of wildcard cert to trick my phone into 
> negotiating SSL with it, which then does its own SSL to my dovecot server, 
> thus MitM'ing me without me even knowing?  I know in a web browser I'd 
> normally be protected against that by looking at the URL in the address 
> bar, or the green EV-cert graphics (or am I wrong in even that 
> assumption)? 
>
> How paranoid do I have to be?  And is there any way to beat any 
> shortcoming on Android, perhaps with a client cert or a way to tie the 
> account to a single manually-specified server SSL cert? 
> _______________________________________________ 
> Roundtable mailing list 
> Roundtable at muug.mb.ca 
> http://www.muug.mb.ca/mailman/listinfo/roundtable

More information about the Roundtable mailing list