Zimbra Desktop (beta) Certificate Validation Issue

[jholder]

Recently an article was published by a blogger detailing a "Man in the middle" attack against Zimbra Desktop (beta) users. Under the right circumstances, it may be possible for a remote attacker to distinguish a username and password.

The issue involves how Zimbra Desktop (beta) trusts secure sites. If a malicious party forges a site, Zimbra Desktop currently does not verify the sites identity via an SSL certificate.

This issue was discovered on September 29, 2008 and has been logged in Zimbra's Bugzilla Database with the Bug ID: Bug 31997 – deal with untrusted certificates

Zimbra plans on introducing SSL validation in the next release of Zimbra Desktop (beta).

In the mean time, even though the possibility of exploit is extremely remote, we suggest that those who feel uncomfortable with this bug uninstall Zimbra Desktop (beta) and wait for the next version.

We also wish to take time to remind all users on the proper procedure for reporting issues to Zimbra. Zimbra takes all security issues very seriously. In order to protect our customers and users who use our free products, we strongly encourage security concerns to be sent to support@zimbra.com.

If you have ANY questions, please feel free to post in our forums.

-The Zimbra Team