OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: netscape POP3 passwd and mails prefs
From: Hans Aikema (speedsk8CROSSWINDS.NET)
Date: Wed Apr 19 2000 - 10:25:45 CDT

Hi Sim and all,
> I browsed the netscape preferences for my user and discovered a few
> interesting files, first of all
>
> liprefs.js
>
> ok, so, it's basically every preference for your user, anything, from
> background color to all the mime types. Anyway, let's get to the
> interesting security things, ok, so, I hope you are aware that your mail
> login is in cleartext look at this property :
>
> ("mail.pop_name", "myloginstandshere")
>
> just after that, whe got
>
> "mail.pop_password", "IKyLOqrMOTE=")
Only if you told netscape to remember your pwd... something that I would say is
not advisable in any program, unless you decide the pwd may be stolen after
some security breach, either physical or through electronic means. In the mail-
properties (mailserver-config there is (at least I guess the Mac has it as
well) a checkbox 'Remember my password'. When you decide to check that one you
imply that you agree to the storage of your pwd in any form on (semi) permanent
storage space. It is a good thing Netscape is offering a little bit of
increased security by first encrypting the pwd (no matter how weak or strong
the encryption is... you need to do more than just steal the liprefs.js to
obtain the login)

> which is your password, ENCODED, ouch, I feared the worst.
> Anyway, I just believe that having the login in clear is a real treat,
> and even if I don't know what encrypt. they use or how to decrypt it, I
> would be very interested if anybody knows how to decrypt this.
<...>
If I am correctly interpreting the POP3 RFC (1225) un and pwd are transmitted
unencrypted when using POP v3 (the most common mail retrieval protocol), so
just as in FTP it is should be very easy to steal un/pwd through packet-
sniffing. I would say this vulnerability for client-server connections is more
dangerous than the storage of un/pwd in files, allthough maybe encryption of
the un would be a nice policy.
People concerned with security should protect their personal files from access
by unauthorized people and should have programs never save the pwd, but just
type it in each time a login is made.
A bad thing in Netscape is that it also caches the pwd in volatile memory... It
is present until the program is terminated. I would say it shouldn't do that
because it only needs the un/pwd when establishing a connection... next
connection just prompt the user again. If the user doesn't want that default-
behaviour it should have the program save the pwd and realize that in that way
people with access to the same disk-space might have access to their pwd and
thus provide protection for the file that NS saves the PWD in.

> Ok, let's move to the even worse thing : In your user prefs, there's a
> mail folder, and in it, there's a text file for every mailfolder you
> created in netscape (inbox, sent....) well, let me tell you that, for
> some reason, netscape doesn't erase the mails
<...>

You should check your trashbin in Netscape... under Windoze Netscape leaves all
msgs in place (ie in inbox or in the msg-folder you first put it in and then
deleted it from) and just marks somewhere in some index (I guess the .snm
files) that certain msgs are to be considered not-present. After empty-ing the
trash-bin from Netscape 4.7 the msgs that were deleted were also removed from
the HD. So under win it's OK. With respect to the 'in clear text': many mail
programs store them in clear text. On unix machines command-line mail utils as
far as I know leave your mail in /var/spool/mail (where it's delivered by the
mail-server) and just mark it read. That mailbox is also in clear text format
... it's just a matter of restricting people in access to personal
folders/directories/files

>
> Ok, now, could it be true that netscape engineers are weenies ?
Well... don't think so, but when your netscape trash-bin is empty they might be
at least as far as the Mac-group of the netscape engineers are concerned, since
the behaviour on Windoze is quite OK IMHO.

            __
           /
 __ \__ __
/ \ /
\__hristian __/oftware\__ onnection
  http://come.to/ChristianSoftware
    e-mail: speedsk8crosswinds.net
           Hans Aikema

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net