Hi, * Gaëtan LEURENT [07-03-14 15:53:36 +0100] wrote:
This attack is really a practical one: it needs about an hour of computation and a few hundred authentications from the client, and can recover three password characters. I tested it against mutt, and it does work.
Well, this is a difficult issue. First, using hash algorithms always leaves us with the risk of collisions if it's only a theoretical one.
Second, you have the same problem if someone can construct a collision with fully RfC-compliant message-ids.
Third, you have many other problems once someone owns your pop server. :)
However, using the current techniques available to attack MD5, the msg-ids sent by the server can easily be distinguished from genuine ones as they will not respect the RFC specification. In particular, they will contain non-ASCII characters. Therefore, as a security countermeasure, I think mutt should reject msg-ids that does not conform to the RFC.
APOP IMHO should never be considered a secure way of authentication, it's just more secure than sending plain passwords over the wire. But yes, since the RfC says the "timestamp" must be syntacially valid message-id and mutt doesn't check it, there's some room of improvement.
On the other hand, it may not be very nice to abort authentication in case the server config is so broken that it generates invalid message-ids...
bye, Rocco -- :wq!