4

While setting up the Dovecot IMAP service, I noticed that the default parameters are not optimal, it allows SSLv3 for example. Using Thomas Pournin's TestSSLServer.java program, I saw the following:

...
Minimal encryption strength:     strong encryption (96-bit or more)
Achievable encryption strength:  strong encryption (96-bit or more)
BEAST status: vulnerable
CRIME status: vulnerable

For comparison, GMail seems not to be vulnerable to either attack:

$ java TestSSLServer imap.gmail.com 993
Supported versions: SSLv3 TLSv1.0 TLSv1.1 TLSv1.2
Deflate compression: no
Supported cipher suites (ORDER IS NOT SIGNIFICANT):
  SSLv3
     RSA_WITH_RC4_128_MD5
     RSA_WITH_RC4_128_SHA
     RSA_WITH_3DES_EDE_CBC_SHA
     RSA_WITH_AES_128_CBC_SHA
     RSA_WITH_AES_256_CBC_SHA
     TLS_ECDHE_RSA_WITH_RC4_128_SHA
     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  (TLSv1.0: idem)
  (TLSv1.1: idem)
  TLSv1.2
     RSA_WITH_RC4_128_MD5
     RSA_WITH_RC4_128_SHA
     RSA_WITH_3DES_EDE_CBC_SHA
     RSA_WITH_AES_128_CBC_SHA
     RSA_WITH_AES_256_CBC_SHA
     TLS_RSA_WITH_AES_128_GCM_SHA256
     TLS_ECDHE_RSA_WITH_RC4_128_SHA
     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
     TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
----------------------
Server certificate(s):
  89091347184d41768bfc0da9fad94bfe882dd358: CN=imap.gmail.com, O=Google Inc, L=Mountain View, ST=California, C=US
----------------------
Minimal encryption strength:     strong encryption (96-bit or more)
Achievable encryption strength:  strong encryption (96-bit or more)
BEAST status: protected
CRIME status: protected

Vulnerability for CRIME is tested by checking whether compression is enabled or not. Someone from the Dovecot mailing list asserted that BEAST does not apply to mail, is that true? Should I be worried about BEAST and/ or CRIME in the context of an IMAP service?

By only allowing TLSv1.1 and up, the BEAST status turns into "protected". I was not able to disable compression though. What are the recommended parameters for an IMAP service where the clients are sufficiently modern?

Lekensteyn
  • 5,958
  • 5
  • 38
  • 62
  • 2
    I think you should be allowing only TLSv1.1 and up anyway. I'm not a crypto wizard, but think that CRIME is, practically speaking, only relevant when it comes to things like HTTP headers, and both attacks (CRIME and BEAST) _depend_ on malicious code being executed on the client. I don't see how you can do that under IMAP using a mail client. With my shallow knowledge, I'd say that CRIME and BEAST do not apply in this situation. – Adi Feb 15 '14 at 15:12

1 Answers1

4

CRIME and BEAST are chosen-ciphertext attacks. The attacker needs to send tens of thousands of requests in the connection of the user. This works well for a web browser. Theoretically, it is possible for IMAP by sending mails to the victim, however the target plaintext (IMAP password) needs to be in the same packet as the chosen ciphertext. This is usually not the case for IMAP.

Nevertheless, it's probably good to copy the offered SSL versions and algorithms of popular IMAP services, like Google.

fel1x
  • 389
  • 1
  • 5