Re: Security issues (ssl/tls) was: Anyone else seeing slow gmail

From: Larry Rosenman <ler lerctr org>
To: Jack <ostroffjh users sourceforge net>
Cc: balsa-list gnome org
Subject: Re: Security issues (ssl/tls) was: Anyone else seeing slow gmail
Date: Tue, 26 Jul 2016 15:19:59 -0500

On 2016-07-26 15:11, Jack wrote:

On 2016.07.22 12:08, Albrecht Dreß wrote:

Am 21.07.16 23:58 schrieb(en) Jack:

Is there any (reasonably easy) way to determine which version is
actually being used?  I've tried balsa -d with debug checked in the
config page, but don't see anything useful.  In the popfile log, I
see "pop3: 529: Attempting to connect to SSL server at
pop.gmail.com:995" but a few lines later I see "auth plaintext".  I
suppose next I'll start digging into the ssl config itself to see
what logging it does.  I really don't want to have to resort to
setting up wireshark, but I suppose it's an option to be certain.


Wireshark is actually the most easy way:
- choose the proper interface
- set "tcp.port == 995 && ssl.handshake" as filter

In the dump, the "Protocol" column will show the protocol version
being used (TLSv1 or TLSv1.1 or TLSv1.2 - only the latter should be
used).  You may want to look into the packet details to see the
negotiated cipher, etc.  Note that even if Balsa offers (in the
client hello negotiation phase) TLSv1.2, the server may force the
connection to use TLSv1.

The "auth plaintext" operation is absolutely safe if it is performed
over an encrypted connection.


Very strange.  There are three pop servers I use.
1) inbound.att.net, which shows in wireshark with a different (yahoo
based) name, but the right IP address.  It does use TLSv1.2

2) pop3.frontier.com, of which I see no evidence in the wireshark
capture.  Once I changed a :995 to :ssl in the setup, it did start
using 995.

3) pop.gmail.com.  The name does not show up in wireshark, but there is
talk with an IP address which does at least look up to Google.  It is
also using TLSv1.2, with TLS_ECDHE_TSA_WITH_AES_128_CBC_SHA.  So -
balsa apparently does use TLSv1.2, and now I am back to not knowing
what gmail is complaining about with an insecure connection.  I've
asked again through the university who provides that gmail account.

Still more homework to do - I'll post a follow-up when I have any more
useful information.

In general, google wants you to use OAuth2, not userid/password.

If you are using ID/PW, it declares it insecure.

--
Larry Rosenman                     http://www.lerctr.org/~ler
Phone: +1 214-642-9640                 E-Mail: ler lerctr org
US Mail: 17716 Limpia Crk, Round Rock, TX 78664-7281

References:
- Security issues (ssl/tls) was: Anyone else seeing slow gmail
  - From: Jack
- Re: Security issues (ssl/tls) was: Anyone else seeing slow gmail
  - From: Albrecht Dreß
- Re: Security issues (ssl/tls) was: Anyone else seeing slow gmail
  - From: Jack

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]