Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: Zimbra Desktop sends Yahoo password in the clear (not secure)

  1. #1
    Morac is offline Member
    Join Date
    Jul 2008
    Posts
    11
    Rep Power
    7

    Default Zimbra Desktop sends Yahoo password in the clear (not secure)

    Slashdot article about the security issue

    Zimbra is sending Yahoo username and passwords in the clear (ie: not encrypted) when syncing with Yahoo Mail. In other words, you shouldn't use Zimbra Desktop to check for Yahoo mail on a public network and I'd be wary to do so even on a private one.

    Please have Zimbra log in using secure IMAP.

  2. #2
    jjzhuang is offline Zimbra Employee
    Join Date
    Jan 2007
    Posts
    1,688
    Rep Power
    11

    Default

    This problem has already been addressed in code, and fix is in the next release.

  3. #3
    holden is offline Junior Member
    Join Date
    Jun 2008
    Posts
    5
    Rep Power
    7

    Default

    Why wasn't SSL enabled in the first place?
    Also, I find it a bit odd that its fixed in your code base, when I attempted to connect using SSL with the Yahoo IMAP servers they promptly hung up on me, are there some changes to be rolled out to the Yahoo IMAP servers as well?
    (or have you gone to even greater lengths to obfuscate the IMAP connection between Zimbra & Yahoo to keep third parties out)?

  4. #4
    jholder's Avatar
    jholder is offline Former Zimbran
    Join Date
    Oct 2005
    Location
    Thatcher, AZ
    Posts
    5,606
    Rep Power
    20

    Default

    Quote Originally Posted by holden View Post
    Why wasn't SSL enabled in the first place?
    Also, I find it a bit odd that its fixed in your code base, when I attempted to connect using SSL with the Yahoo IMAP servers they promptly hung up on me, are there some changes to be rolled out to the Yahoo IMAP servers as well?
    (or have you gone to even greater lengths to obfuscate the IMAP connection between Zimbra & Yahoo to keep third parties out)?
    I find it odd that someone would post a blog entry, and then submit it to slashdot to create sensationalism.

    Responsible engineers notify the company first, Holden, of their concern. As JJ said, this issue has been addressed, and we are taking appropriate action.
    Last edited by jholder; 09-27-2008 at 12:30 PM.

  5. #5
    Baylink is offline Elite Member
    Join Date
    Aug 2008
    Location
    St Pete FL USA
    Posts
    392
    Rep Power
    7

    Default

    Quote Originally Posted by holden View Post
    Also, I find it a bit odd that its fixed in your code base, when I attempted to connect using SSL with the Yahoo IMAP servers they promptly hung up on me
    Well, *that* sort of suggests that the problem is that Yahoo's IMAP servers don't support SSL, doesn't it?

    That's not Zimbra's fault, now is it?

    Did you *write* the misleading /. summary?


    Yes, I see that you did. Moron.
    Jay R. Ashworth - ZCS 6.0.9CE/CentOS5 - St Pete FL US - Music - Blog - Photography - IANAL - IAAMA
    Try to Ask Questions The Smart Way -- you'll get better answers.

    Put your product and version in your profile/signature - All opinions strictly my own, even though I have an employer these days.
    If you [SOLVE] something, please tell everyone how for the archives
    And, please... read what people write, and answer the questions they asked, not the ones they didn't.

  6. #6
    holden is offline Junior Member
    Join Date
    Jun 2008
    Posts
    5
    Rep Power
    7

    Default hold on one second...

    Quote Originally Posted by Baylink View Post
    Well, *that* sort of suggests that the problem is that Yahoo's IMAP servers don't support SSL, doesn't it?

    That's not Zimbra's fault, now is it?

    Did you *write* the misleading /. summary?


    Yes, I see that you did. Moron.
    I never intended to place blame specifically on Zimbra or Yahoo, they are same company now no? The problem only occures with Zimbra since the IMAP server isn't available to anyone else (well shouldn't be available to anyone else, its fairly easy to trick the IMAP server into to talking to you, but at that point you've taken the seatbelt of so what happens isn't really Yahoo's problem).

  7. #7
    holden is offline Junior Member
    Join Date
    Jun 2008
    Posts
    5
    Rep Power
    7

    Default that was a bit harsh, did you read the entirety of my post?

    Quote Originally Posted by jholder View Post
    I find it odd that someone would post a blog entry, and then submit it to slashdot to create sensationalism.

    Responsible engineers notify the company first, Holden, of their concern. As JJ said, this issue has been addressed, and we are taking appropriate action.
    As my blog post states I notified Yahoo! during my "hacku" presentation. They didn't seem concerned, nor did they talk with me afterwords. Regardless, users need to be informed of this since it exposes there account information, and they should take steps to avoid this (like not using Zimbra over wireless until the fix is in). I find the suggestion that I'm not responsible, a little harsh. I fail to see the sensationalism, in my blog post or in the slashdot story, perhaps I am just blinded by my interest in this matter.

    Rather than brushing me off complaining about a lack of encryption, I think it would have been a better course of action for Yahoo!/Zimbra to publicly disclosed this information to its users after I informed them, and switched the IMAP servers to require SSL to get people to download an update. Then everyone is happy (except for the bad guys).

    Any chance of having my other questions answered about the Yahoo IMAP servers? I realize its a bit of loaded question, but it would be cool if I could still use Yahoo IMAP servers for my anti-spam project, if not I understand the business reasons behind it (gotta make money for those pro-accounts).

    Regardless, lets be civil, hot tempers are never a good thing. If we're in the same city sometime soon give me a shout, I'll buy you a pint of beer

  8. #8
    jholder's Avatar
    jholder is offline Former Zimbran
    Join Date
    Oct 2005
    Location
    Thatcher, AZ
    Posts
    5,606
    Rep Power
    20

    Default

    Okay, I'll buy that. Yahoo is a big place, and it's possible that who ever you reported it to, it never got to us.

    Zimbra takes security very very seriously. As a matter of fact, many of the products that we use in Zimbra, we use specifically because their competition have security issues.

    Considering this issue was reported this morning, we have had little time to post an update, etc.

    Zimbra Desktop has an auto-update feature, so when we release the update, all users will be informed.

    We don't believe this to be your fault, obviously. We live in a world where security should be #1 for software vendors. For us, it is. A simple yahoo/google search would have brought up how to report security issues.

    However, whoever your mentioned it to, should have brought it to our attention, and we're sorry they didn't.

    Holden, thanks for reporting this, if you pvt me your address, we'll send you a shirt.

    (PS you'll be sending your address in clear text )

  9. #9
    Baylink is offline Elite Member
    Join Date
    Aug 2008
    Location
    St Pete FL USA
    Posts
    392
    Rep Power
    7

    Default

    You weren't civil (that was not especially a civil act -- based as it was on the fact that you apparently don't realize that no, Zimbra Desktop users are *not* the only people who can access Yahoomail via IMAP, and that hasn't been true for *at least* two years), so why should we be?

    I do think it's his fault, John; Zimbra is, effectively, so far as *I* can tell, a subsidiary of Yahoo mail -- I wouldn't be surprised if any given Zimbra employee needed to ask around to get in touch with any given Yahoomail employee, special case for ZD or not.

    I'm not a cheerleader for Zimbra -- you can make your own decisions about that from the 36 bugs I filed last week; clearly I don't think Z is perfect. But I do think that -- unless you made some other attempts you haven't mentioned between mentioning to people at a hack day who weren't in the chain of command and posting it to frickin' Slashdot -- you could probably have chosen, at the very least, slightly less inflammatory language to discuss it in.
    Last edited by Baylink; 09-27-2008 at 01:31 PM.
    Jay R. Ashworth - ZCS 6.0.9CE/CentOS5 - St Pete FL US - Music - Blog - Photography - IANAL - IAAMA
    Try to Ask Questions The Smart Way -- you'll get better answers.

    Put your product and version in your profile/signature - All opinions strictly my own, even though I have an employer these days.
    If you [SOLVE] something, please tell everyone how for the archives
    And, please... read what people write, and answer the questions they asked, not the ones they didn't.

  10. #10
    holden is offline Junior Member
    Join Date
    Jun 2008
    Posts
    5
    Rep Power
    7

    Default

    Quote Originally Posted by Baylink View Post
    You weren't civil (that was not especially a civil act -- based as it was on the fact that you apparently don't realize that no, Zimbra Desktop users are *not* the only people who can access Yahoomail via IMAP, and that hasn't been true for *at least* two years), so why should we be?
    Really? Perhaps I'm missing something, when I connected to the Yahoo IMAP servers I had to send an ID saying I was Zimbra before they would let me authenticate. I also talked to the Yahoo! people at the hack day, and they said that Yahoo! didn't offer IMAP support. I didn't just use only my code to do this, I also attempted it in evolution since I figured my IMAP implementation could be a bit off. Perhaps I missed something incredibly obvious (does happen from time to time). I'd be very interested in knowing what the correct IMAP settings are, rather than my reverse engineered ones since that would help with a project I am working on. Could you provide a pointer to that? It would be greatly appreciated, thanks

    I'm under the impression that I was reasonably civil, but we often have better opinions of our own behavior.

    As to why you should be civil in general, I can't really make a good argument for that but it certainly would make this discussion easier.

    Quote Originally Posted by Baylink View Post
    I do think it's his fault, John; Zimbra is, effectively, so far as *I* can tell, a subsidiary of Yahoo mail -- I wouldn't be surprised if any given Zimbra employee needed to ask around to get in touch with any given Yahoomail employee, special case for ZD or not.
    I'm not trying to place blame on Zimbra. My goal was to get this fixed. Perhaps Yahoo! was not the people to talk to, but they were sitting right across from me, and it was for Yahoo!'s IMAP servers so I figured they would be a reasonable group to talk to.

    Quote Originally Posted by Baylink View Post
    I'm not a cheerleader for Zimbra -- you can make your own decisions about that from the 36 bugs I filed last week; clearly I don't think Z is perfect. But I do think that -- unless you made some other attempts you haven't mentioned between mentioning to people at a hack day who weren't in the chain of command and posting it to frickin' Slashdot, that you could probably have chosen, at the very least, slightly less inflammatory language to discuss it in.
    Not in the chain of command? Maybe I don't understand how this works, but they were on the dev side of Yahoo! (not like HR or ops). If they had asked me to talk to someone specific at Zimbra I certainly would have, but they were just uninterested. If you feel that my blog post was uncalled for, I would respectfully disagree, but I think this is one of those situations where neither of us will convince the other, so agreeing to disagree may be the best course of action?

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Zimbra spam system
    By rajahd in forum Administrators
    Replies: 9
    Last Post: 04-16-2008, 07:25 PM
  2. Major Issue - 5.0RC2 NE to 5.0GA NE failed
    By DougWare in forum Installation
    Replies: 7
    Last Post: 01-06-2008, 09:56 PM
  3. [SOLVED] Error Installing Zimbra on RHEL 5
    By harris7139 in forum Installation
    Replies: 10
    Last Post: 09-25-2007, 11:39 AM
  4. zmtlsctl give LDAP error
    By sourcehound in forum Administrators
    Replies: 5
    Last Post: 03-11-2007, 03:48 PM
  5. svn version still won't start
    By kinaole in forum Developers
    Replies: 0
    Last Post: 10-04-2006, 06:47 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •