Hi all:
Out of curiosity, do you use secure email, either at home or at work? What system do you use?
Thunderbird, Enigmail plugin. Yes, I encrypt e-mails whenever I can.
Sadly, it relies on the recipient having a key, and that’s not very
common. Yes, I’d recommend it for everybody since, with the right client
(requires a thick client… no web-only clients can properly do this afaik
since that would involve somehow sharing the private key with something in
or beyond the web browser which is insane), this is really easy to
implement and it is the only way to guarantee your e-mail is kept between
you and the other party (and folks to which either you or the other party
choose to forward the message).
Good luck.
Thanks for the reply. That is what I thought was required.
On 15/08/2013 12:33, cmosentine wrote:[color=blue]
Hi all:
Out of curiosity, do you use secure email, either at home or at work?
What system do you use?[/color]
Whatever the recipient can handle - seriously.
For some, that’s going to be PGP or S/MIME. Those both need preshared keys.
If your employer is willing to spring for the system, oracle based
encryption solutions such as the pgp universal gateway and cisco CRES
are good.
for the rest, just enforced TLS on the outbound smtp bridgehead is about
the best you can do.
cmosentine wrote:
[color=blue]
Out of curiosity, do you use secure email, either at home or at work?
What system do you use?[/color]
I use GroupWise, a secure and reliable collaboration platform.
–
Does this washcloth smell like chloroform?
On 17/08/2013 02:44, Joseph Marton wrote:[color=blue]
cmosentine wrote:
[color=green]Out of curiosity, do you use secure email, either at home or at work?
What system do you use?[/color]I use GroupWise, a secure and reliable collaboration platform.[/color]
HAHAHAHA
Last I looked, the gwia doesn’t even check TLS certificates and has no
way to enforce TLS…
the Trusted Application API lets you connect to anyone’s mailbox you
like, whenever you want, using a standard groupwise client and a half
dozen lines of VBS.
Groupwise is a lot of things, but secure isn’t any of them 
Dave Howe wrote:
[color=blue]
Last I looked, the gwia doesn’t even check TLS certificates and has no
way to enforce TLS…[/color]
Of course GWIA supports SSL/TLS.
[color=blue]
the Trusted Application API lets you connect to anyone’s mailbox you
like, whenever you want, using a standard groupwise client and a half
dozen lines of VBS.[/color]
You need administrator access to even create a trusted application, and
even then you can’t just use a standard GW client to get into a user’s
mailbox. You have to use a third-party application which specifically
uses the trusted app.
On the other hand, with Exchange all an administrator needs to do is
type a single command and now administrators can simply use the Outlook
client to access every single user’s mailbox.
http://help.outlook.com/en-Us/140/gg709759.aspx
–
Does this washcloth smell like chloroform?
On 19/08/2013 13:45, Joseph Marton wrote:[color=blue]
Dave Howe wrote:
[color=green]Last I looked, the gwia doesn’t even check TLS certificates and has no
way to enforce TLS…[/color]Of course GWIA supports SSL/TLS.[/color]
That isn’t what I said. What I said was that, while it supports TLS,
it doesn’t bother checking anything at all in the certificate - not even
expiry or hostname. Try it sometime. It also has no way to enforce it,
so if you simply MitM a gwia connection and remove the “starttls”
response from the EHLO responses, the gwia will happily send the whole
stream unencrypted.
[color=blue][color=green]
the Trusted Application API lets you connect to anyone’s mailbox you
like, whenever you want, using a standard groupwise client and a half
dozen lines of VBS.[/color]You need administrator access to even create a trusted application, and
even then you can’t just use a standard GW client to get into a user’s
mailbox. You have to use a third-party application which specifically
uses the trusted app.[/color]
Erm, no. you need admin access to create the trustapp token - that can
either be restricted to a specific IP (usually a good idea!) or not.
The gwcma1.dll installed in the standard installation of the gw client
has a “SetTrustedApplicationCredentials” method on the application
object, and a login method - call the first in vbs, call the second
(again in vbs) and it will launch a full client logged in as the target
user. By using gwcmb1.dll first, you can list the users in a given post
office so you can select one for the procedure (that may require admin
rights if you want to see/select a user not in the normal address book).
This works, in practice - I have such a vbs script written for
troubleshooting problems with the BES gateways, and it works just fine.
[color=blue]
On the other hand, with Exchange all an administrator needs to do is
type a single command and now administrators can simply use the Outlook
client to access every single user’s mailbox.[/color]
Yup. I do note that you can then go into your outlook client (not the
webapp, sadly) and check to see who has rights to your inbox - but that
doesn’t really matter - pointing and saying “but they are just as bad”
doesn’t work outside of a playground.
Dave Howe wrote:
[color=blue]
The gwcma1.dll installed in the standard installation of the gw
client has a “SetTrustedApplicationCredentials” method on the
application object, and a login method - call the first in vbs, call
the second (again in vbs) and it will launch a full client logged in
as the target user. By using gwcmb1.dll first, you can list the users
in a given post office so you can select one for the procedure (that
may require admin rights if you want to see/select a user not in the
normal address book). This works, in practice - I have such a vbs
script written for troubleshooting problems with the BES gateways,
and it works just fine.Yup. I do note that you can then go into your outlook client (not the
webapp, sadly) and check to see who has rights to your inbox - but
that doesn’t really matter - pointing and saying “but they are just
as bad” doesn’t work outside of a playground.[/color]
I’m not saying Exchange is just as bad. Looks like they are worse.
Look at what you described above and trying to use the GW client to
access users’ mailboxes via the trusted app. Now look at how it’s done
with Exchange. Grab a DLL and put together a VB script? Or just log
into a native client without doing anything? Yeah, exactly.
–
Does this washcloth smell like chloroform?
Joseph Marton,[color=blue]
I’m not saying Exchange is just as bad.[/color]
Wrong response Joe, the correct one would be:
Your message pointed out several possible attacks that I was previously
unaware of. I will take this up with the GW PM right away.
–
Anders Gustafsson (NKP)
The Aaland Islands (N60 E20)
Have an idea for a product enhancement? Please visit:
http://www.novell.com/rms
Anders Gustafsson wrote:
[color=blue]
Your message pointed out several possible attacks that I was
previously unaware of. I will take this up with the GW PM right away.[/color]
Ask PM to remove trusted app functionality?
I’m also not sure the SSL/TLS information in this thread is entirely
accurate either.
–
Does this washcloth smell like chloroform?
Joseph Marton,[color=blue]
Ask PM to remove trusted app functionality?[/color]
No, look at possible security implications.
[color=blue]
I’m also not sure the SSL/TLS information in this thread is entirely
accurate either.[/color]
But there is no harm i verifying that, right?
–
Anders Gustafsson (NKP)
The Aaland Islands (N60 E20)
Have an idea for a product enhancement? Please visit:
http://www.novell.com/rms
Dave Howe,[color=blue]
That isn’t what I said. What I said was that, while it supports TLS,
it doesn’t bother checking anything at all in the certificate - not even
expiry or hostname. Try it sometime[/color]
Thanks for pointing that out. A bug has been raised so that it will be
properly investigated.
I have also started some discussions internally about possible security
implications of the trusted app interface.
–
Anders Gustafsson (NKP)
The Aaland Islands (N60 E20)
Have an idea for a product enhancement? Please visit:
http://www.novell.com/rms
Dave Howe,[color=blue]
The gwcma1.dll installed in the standard installation of the gw client
has a “SetTrustedApplicationCredentials” method on the application
object, and a login method - call the first in vbs,[/color]
But you still need the token, right? Just wanting to clarify things.
–
Anders Gustafsson (NKP)
The Aaland Islands (N60 E20)
Have an idea for a product enhancement? Please visit:
http://www.novell.com/rms
Anders Gustafsson wrote:
[color=blue][color=green]
Ask PM to remove trusted app functionality?[/color]
No, look at possible security implications.[/color]
Not a bad idea to check. Just saying based on what’s been described so
far it sounds WAD and wouldn’t necessarily be a security issue. It’d
be sorta like saying if you give someone the password to the tree’s
admin account it’s a security issue that someone can log in with the
Novell client and use a script to nuke a bunch of objects in the tree.
Well, that’s the purpose of the admin account.
[color=blue][color=green]
I’m also not sure the SSL/TLS information in this thread is entirely
accurate either.[/color]But there is no harm i verifying that, right?[/color]
Nope and soon we’ll find out what the story is.
–
Does this washcloth smell like chloroform?
On 19/08/2013 20:23, Anders Gustafsson wrote:[color=blue]
Dave Howe,[color=green]
The gwcma1.dll installed in the standard installation of the gw client
has a “SetTrustedApplicationCredentials” method on the application
object, and a login method - call the first in vbs,[/color]But you still need the token, right? Just wanting to clarify things.[/color]
Yes. This is behavior as designed, not a bug per se - groupwise has a
backdoor to allow admin-authorized users or services unrestricted access
to mailboxes (and as far as I know, you can’t restrict the GWTAPP token
to just a single mailbox, access is granted to all mailboxes)
however, as has been pointed out, to use that backdoor you need to
jump though several hoops.
First, you need to be an admin, or have an admin run GWTAPP on your
behalf (you don’t even need to compile your own GWTAPP, its available as
a nice, friendly installer on the Novell site, but it isn’t part of
anyone’s standard install. You can also “steal” the key from a BES server)
Second, you need to make a couple of API calls (note, you don’t need to
download the dll from anywhere, it comes as standard with the gw client)
Third, and most importantly, you need to know that the above is
possible and how to do it. I went for years thinking that GW was secure,
even from its own administrators. Having to fix a customer’s BES
solution corrected that belief, and once my mindset was correct, a quick
look at the DLL (which I already knew about, due to scripting other
automation tasks) showed me a trusted api login. The documentation also
shows how you could do this using nothing but a key and the telnet app,
if you understand IMAP commands
On 19/08/2013 19:33, Anders Gustafsson wrote:[color=blue]
Dave Howe,[color=green]
That isn’t what I said. What I said was that, while it supports TLS,
it doesn’t bother checking anything at all in the certificate - not even
expiry or hostname. Try it sometime[/color]Thanks for pointing that out. A bug has been raised so that it will be
properly investigated.[/color]
Tried that a couple of years ago, when the lack of any way to enforce or
even check TLS via a GWIA cost me (well, my employer) a UK government
contract - they had to go with exchange, as that can require TLS and
enforce validation with a local CA cert (and enforced TLS was part of
the Code of Connection).
My suggestion, to reproduce the missing functionality by adding exim to
the same SLES box, didn’t go down well either.
On 20/08/2013 11:00, Dave Howe wrote:[color=blue]
Yes. This is behavior as designed, not a bug per se - groupwise has a
backdoor to allow admin-authorized users or services unrestricted access
to mailboxes (and as far as I know, you can’t restrict the GWTAPP token
to just a single mailbox, access is granted to all mailboxes)[/color]
On the bright side - GW seems to support s/mime reasonably well
(although that’s hardly unique), and the mail is stored encrypted, so it
is possible to get a fair bit of security provided you prepare in
advance
Dave Howe,[color=blue]
(and as far as I know, you can’t restrict the GWTAPP token
to just a single mailbox, access is granted to all mailboxes)[/color]
But being able to do so, say per group would be rather cool!
–
Anders Gustafsson (NKP)
The Aaland Islands (N60 E20)
Have an idea for a product enhancement? Please visit:
http://www.novell.com/rms
On 20/08/2013 11:42, Anders Gustafsson wrote:[color=blue]
Dave Howe,[color=green]
(and as far as I know, you can’t restrict the GWTAPP token
to just a single mailbox, access is granted to all mailboxes)[/color]But being able to do so, say per group would be rather cool![/color]
Yup. certain Other Systems are very granular - you can grant access down
to individual folders, calenders and so forth - however, GWTAPP was
clearly written as a backdoor for a trusted solution (even the name
suggests that) rather than a general purpose tool.