Vigil@nce - Evolution: no TLS encryption of Sent
September 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
When the directory of sent messages is stored on a remote server, the session is not encrypted by Evolution, even if the configuration requests it.
Creation date: 12/09/2011
Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The Evolution program is a messaging client. It can access to a remote IMAP mailbox through a TLS encrypted session.
The directory of sent messages can be stored locally, or on the remote IMAP server. However, the session which stores sent messages is never encrypted by TLS. An attacker can therefore capture emails, or obtain the password used to connect to the IMAP server.
When the directory of sent messages is stored on a remote server, the session is therefore not encrypted by Evolution, even if the configuration requests it.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN