@nielsk does your imap server use SSL certs? That should prevent mitm attacks like this. Or at least warn of them.
Top-level
@nielsk does your imap server use SSL certs? That should prevent mitm attacks like this. Or at least warn of them. 7 comments
@ed1conf @UkiahSmith The mail client talks to the MS cloud and the MS cloud talks with the mail servers. Tbh I only looked at contacted IPs and didn’t dive deeper because I just wanted to see why it didn’t work for my colleague. So I looked at the dump and searched for the IPs I expect them to connect which they didn’t and looked at my mail server logs and only saw an MS cloud-IP. (1/4) I guess the mail client just talks with MS, submits the data and actually the “MUA” sits in the MS cloud and does all the rest. It is not like with a browser where you see an URL you connect to and can check the cert. You enter your mail server and your credentials and then you have a representation of your mailbox with your mails. (2/4) Actually a browser could do that, too since they represent that you are entering a URL and get a page displayed. But a “browser” could also be transmitting just the URL to some cloud machine which will do everything for you and then the “browser” on your machine displays the page and everything. Bit nobody did it so far. (3/4) I guess Outlook New is just a glorified webmailer (and from what I've read it is a chromium wrapper) which looks like a local app. That would also explain why it won't start when you are offline. (4/4) @UkiahSmith @nielsk |
@UkiahSmith
It would depend on which piece is verifying the SSL/TLS certs.
If the Outlook (New) client does the "I'm talking to neilscorp.example.com" verification, then it's less bad because in theory the MS machines are only acting as a conduit for encrypted bits (still dumb because it breaks when attempting to connect to mailservers in RFC1918 ranges).
However, if the local client is talking to the MS cloud, and it's the cloud machines initiate the conversation to the mail-server and checking the SSL/TLS certs (which is what I suspect is happening; @nielsk doesn't provide pcaps nor detail whether the client is connecting to some web-servicey port like 443 instead of mail-servicey ports), then SSL/TLS certs don't protect.
@UkiahSmith
It would depend on which piece is verifying the SSL/TLS certs.
If the Outlook (New) client does the "I'm talking to neilscorp.example.com" verification, then it's less bad because in theory the MS machines are only acting as a conduit for encrypted bits (still dumb because it breaks when attempting to connect to mailservers in RFC1918 ranges).