Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » ssl certificate & offline connector (serious security issue)
  •  
messenger

Messages: 1
Karma: 0
Send a private message to this user
Hi folks,

I'm a little bit concerned about security using the KOC on notebooks of the field staff.

I did install a ssl certificate on the Kerio Connect server. Works fine with Kerio webmail, the browser reliably verifies and encrypts webmail sessions with the kerio connect server host. Interception attempts cause the browser to issue adequate warnings. Man-in-the-middle attack attempts are cut off - and that's what it's for, right?

So far, so good. But in KOC when I activate to use SSL (server details tab of KOC), KOC does not check if the server certificate is valid for the specific host it's connecting to. It connects anyway and works just fine with any untrustworthy host. That way the encryption is almost worthless in the sense of protecting sensitive data and is reduced to a technical gimmick.

I don't believe it is supposed to work that way. KOC seems mature, way beyound beta phase. I'm sure I did miss something in the configuration.

Any advice on how to get KOC to validate the host it is communicating with?
  •  
dexterb

Messages: 36
Karma: 0
Send a private message to this user
Which connector do your remote users have...Kerio Offline Connector (KOff)?
Edit: Sorry, your title does say "offline connector"

[Updated on: Thu, 30 June 2011 16:43]

  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
Quote:
But in KOC when I activate to use SSL (server details tab of KOC), KOC does not check if the server certificate is valid for the specific host it's connecting to. It connects anyway and works just fine with any untrustworthy host.


Not sure what you mean by "valid for the specific host" and "untrustworthy host", but anyway:

IMAP-TLS (which KOC uses) only checks the hostname you specified in the connection details against the hostname in the certificate. If they match, everything's OK and the connection continues. This is per RFC2595. It's how the implementation MUST work.

Checking the certification chain (i.e. if the certificate is signed by a trusted CA) is a client issue and is not inherent in all IMAP-TLS implementations. In my opinion, having a certificate signed by a third party does not necessarily increase security. It just proves you at one point had a credit card whose number you handed over to the SSL mafia.

However, if you create and install a certificate on the server, with a host name differing from the host name in the KOC connection setup and the connection does not fail, KOC has a bug. A pretty big, stupid one at that.

On the other hand, KOC as a product is dead and has been for a while. I doubt Kerio Inc. will fix it.

[Updated on: Thu, 30 June 2011 19:49]

Previous Topic: Error Outlook 2010 when opening user profile for 1st time
Next Topic: SAP Outlook Plug-in vs. Kerio Offline Connector Plug-in
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Nov 21 00:04:52 CET 2017

Total time taken to generate the page: 0.00402 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.