undefined | Better HN

0 pointsneohaven12y ago0 comments

How are they going to log in to your email account to MITM it, exactly, other than sending your password in cleartext to them? I'm not saying the connection itself is cleartext, but that they will be storing your email password in cleartext(!) to access your account at your email provider...

0 comments

14 comments · 4 top-level

tedunangst12y ago· 7 in thread

I think "your password is sent to LinkedIn" sufficiently and accurately describes what's happening. Adding "in cleartext" typically means via an unencrypted channel. Think about. Think about it. Every time you login into a website via password, your browser sends the password to the server. We don't usually call that out for being in plaintext, unless it really is using http.

tghw12y ago

I think what they're getting at is that LinkedIn has a plaintext copy of your email password, not necessarily that it got there via some unencrypted channel. And because LinkedIn needs to be able to log in again, it has to store it in plaintext, which then leads to the possibility of another incident where they leak millions of passwords[0].

[0] http://www.zdnet.com/blog/btl/6-46-million-linkedin-password...

tedunangst12y ago

It doesn't actually need to store it to log in again. The next time your phone connects to linkedin's proxy, it will provide the password again. Yes, this is basically the same as omnipresent, but not quite. If the servers are confiscated/stolen in a powered down state, the passwords aren't there to recover. You can immediately limit your exposure by not using the service. There are no backup tapes to accidentally go missing.

Also, while rare, the client could theoretically be using something like kerberos to authenticate, even over tls. The password exchange is secret, but the data contents would not be. I don't think the iphone supports kerberos, though.

(All this is not proof that they aren't your storing password, just that it's feasible for linkedin to merely pass it through. And possible, though not probable, for them to never even see the password.)

nopassrecover12y ago

Interestingly in a world of front-end JS frameworks you could fix this by encoding client-side before submission.

annnnd12y ago

DON'T! Just don't.

Encrypting user credentials in JS is probably even worse than parsing HTML with regular expressions: http://stackoverflow.com/questions/1732348/regex-match-open-...

Just send it in cleartext, but over properly verified https.

2 more replies

Xorlev12y ago

Or, use TLS and get it for free. Crypto on JS is a scary, scary world.

1 more reply

subb12y ago

Well, if you hash your password client-side, what's the difference from using clear text? A MITM will intercept your hashed password and use that to login.

1 more reply

hfern12y ago

I believe vBulletin actually does this.

1 more reply

ocrickard12y ago· 2 in thread

It's worth noting that they specifically state that for Gmail they can use OAuth through the refresh/access token system. Hopefully they do this for all other IMAP servers that support OAuth (there are a couple of them now).

However, for traditional IMAP/SMTP servers your point is well taken. They must store your credentials in a restorable state, which, however carefully you do, has difficult security implications.

tedunangst12y ago

It's a proxy. It doesn't need to store anything. The server asks for a password, the proxy asks the client.

ocrickard12y ago

In order to inject content into the stream, they must be able to decrypt and interpret the stream. It is not quite as simple as a traditional proxy which may not actually have to know the content it is transmitting. They must have all content you send over the stream for a short period of time in-memory in a restorable (if not plaintext) state in order to read from the client's IMAP stream, interpret, then send over the IMAP server's secure SSL stream. The short period of time over which they must keep it does not free them from the security implications. All an intruder must do is gain access, then monitor the stream. I'm not saying that this is impossible to mitigate, just that you're trusting them to do it right.

csarva12y ago· 1 in thread

They need your cleartext pw in order to create a config profile and that's it. Why would they need to store your pw at all? Once the config profile is setup, the IMAP AUTH request gets proxied through them to the original provider and handled as normal. No need to store any pws at the proxy.

gnur12y ago

Except that the proxy is accessing YOUR imap provider for new mail. Every time they connect to that imap server they'll need your credentials.

mindprince12y ago

They won't be storing the email password in cleartext. They would probably be using reversible encryption.

Here's how Mint.com stores your banking credentials: https://www.quora.com/How-do-mint-com-and-similar-websites-a... I assume LinkedIn Intro would be using a similar technique.

j / k navigate · click thread line to collapse

0 comments

14 comments · 4 top-level

tedunangst12y ago· 7 in thread

tghw12y ago

[0] http://www.zdnet.com/blog/btl/6-46-million-linkedin-password...

tedunangst12y ago

nopassrecover12y ago

Interestingly in a world of front-end JS frameworks you could fix this by encoding client-side before submission.

annnnd12y ago

DON'T! Just don't.

Encrypting user credentials in JS is probably even worse than parsing HTML with regular expressions: http://stackoverflow.com/questions/1732348/regex-match-open-...

Just send it in cleartext, but over properly verified https.

2 more replies

Xorlev12y ago

Or, use TLS and get it for free. Crypto on JS is a scary, scary world.

1 more reply

subb12y ago

Well, if you hash your password client-side, what's the difference from using clear text? A MITM will intercept your hashed password and use that to login.

1 more reply

hfern12y ago

I believe vBulletin actually does this.

1 more reply

ocrickard12y ago· 2 in thread

However, for traditional IMAP/SMTP servers your point is well taken. They must store your credentials in a restorable state, which, however carefully you do, has difficult security implications.

tedunangst12y ago

It's a proxy. It doesn't need to store anything. The server asks for a password, the proxy asks the client.

ocrickard12y ago

csarva12y ago· 1 in thread

gnur12y ago

Except that the proxy is accessing YOUR imap provider for new mail. Every time they connect to that imap server they'll need your credentials.

mindprince12y ago

They won't be storing the email password in cleartext. They would probably be using reversible encryption.

Here's how Mint.com stores your banking credentials: https://www.quora.com/How-do-mint-com-and-similar-websites-a... I assume LinkedIn Intro would be using a similar technique.

j / k navigate · click thread line to collapse