Re: Norton AV 2002 rewriting SMTP, breaking TLS

[Adam Shostack <adam () homeport org>]

On Fri, Jul 19, 2002 at 02:40:16PM -0400, Owen, Greg wrote:
| > I saw this behavior in Norton AV 2000.  After searching their 
| > web site, I found the information saying that they just plain
| > don't support SSL encrypted email.  You have to pick, auto-scan
| > AV, or encrypted session.
| 
|       I ran into this bug (yes, I'll call it a bug) in Norton a few
| months ago.  I can only say that there is a special circle in hell
| reserved for companies which _silently_ disable security measures in
| order to let their product carry out a procedure (especially a redundant
| procedure).
| 
|       While we're on STARTTLS issues, another security issue people
| should be aware of is that mail clients (I've seen this on OE, but I'm
| betting it is pretty common) only use SSL for encryption, not
| authentication.  In other words, if you just happen to be in a hotel
| with one of those ethernet devices, and the hotel ISP happens to
| silently redirect port 25 to their own SMTP relay, and their SMTP relay
| supports STARTTLS with a valid certificate, then your mail client will
| very happily transmit your SMTP AUTH credentials to their server,
| thinking it is your own that it is talking to.  This one bit me at SANS
| Orlando 2002 (Thank you, Marriot...)

So if the Marriot can do this, why can't Norton?  

It seems to be the perfect solution; encrypt to the AV product, which
is doing a MITM attack, and then from the AV product to your mail
server.

Which of course will make figuring out what the cert on the far end is
*even trickier*, but hey, its a small price to pay for
anti-eavesdropping.

Adam



-- 
"It is seldom that liberty of any kind is lost all at once."
                                                       -Hume