maddy icon indicating copy to clipboard operation
maddy copied to clipboard
verified publisher icon foxcpp

Research and relevant mitigations for ALPACA attack

Open foxcpp opened this issue 4 years ago • 1 comments

Ref. https://alpaca-attack.com/

We believe it is a popular to use the same certificate for web server and mail server (e.g. #296) therefore maddy could be affected by this attack when using in such way.

We should advise against using it and/or add necessary mitigations to the code.

  • [ ] ~~Implement ALPN and require strict matching when negotiated (IMAP, there is no standard value for SMTP but negative check might be possible).~~
  • [x] Discard SMTP connections if commands look like HTTP requests.
  • [ ] Discard IMAP connections if commands look like HTTP requests.
  • [ ] Add recommendation in the documentation covering this problem.

foxcpp avatar Jun 10 '21 12:06 foxcpp

On point 2: go-smtp terminates the connection after just 3 protocol errors, this is enough to terminate connection if any HTTP request is misdirected to the server.

foxcpp avatar Jun 10 '21 13:06 foxcpp