Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security: Imbox (and other libs) do not validate certificates #532

Closed
dmth opened this issue May 26, 2016 · 4 comments
Closed

Security: Imbox (and other libs) do not validate certificates #532

dmth opened this issue May 26, 2016 · 4 comments
Assignees
Labels
bug Indicates an unexpected problem or unintended behavior component: bots security
Milestone

Comments

@dmth
Copy link
Contributor

dmth commented May 26, 2016

The colleagues from Abusehelper realised some flaws concerning their SSL implementation:
https://github.com/abusesa/abusehelper/blob/master/docs/SECURITY-2016-01.md

@bernhard-herzog reviewed some parts of IntelMQ.

The library "imbox", which is used by the Mail-Collectors, does not validate the certificate of the IMAP Server. It is not possible to force the library to do so.

We also checked:

  • requests: The library does behave well on Ubuntu 14.04
  • sleekxmpp: It is possible to tell sleekxmpp to uses a certificate store, currently this is not done

To discuss:

  • Remove the dependency of Imbox and do "IMAP by hand" or persuade Imbox maintainer to add the option to configure SSL.
  • Initiate XMPPClient correctly with a CertificateStore
  • Create an IntelMQ-Wide usable configuration-variable for a CertificateStore.
@sebix sebix added bug Indicates an unexpected problem or unintended behavior component: bots labels May 26, 2016
@sebix sebix added this to the Release 1 - v1.0 milestone May 26, 2016
@sebix sebix self-assigned this May 27, 2016
@dmth
Copy link
Contributor Author

dmth commented May 30, 2016

Opened an Issue at IMBOX: martinrusev/imbox#68

@sebix
Copy link
Member

sebix commented May 30, 2016

Also also would like to see this fixed upstream. Creating our own library is much more work than patching the existing code. Thanks for bringing this upstream.

@dmth
Copy link
Contributor Author

dmth commented Jun 8, 2016

We created a PR for this issue in IMBOX. This one was merged upstream. A new imbox release should fix the issues with imbox.

sleekxmpp is still unresolved

@dmth
Copy link
Contributor Author

dmth commented Jun 13, 2016

There is a new Imbox-Relase: https://pypi.python.org/pypi/imbox/0.8.5

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Indicates an unexpected problem or unintended behavior component: bots security
Projects
None yet
Development

No branches or pull requests

2 participants