View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0000056||Main CAcert Website||account administration||public||2005-09-07 18:14||2013-11-20 22:23|
|Fixed in Version||2006|
|Summary||0000056: EMail Ping not safe enough|
|Description||When the user clicks on the Email Ping URL, the first HTTP GET Request automatically accepts the EMail as valid for the user.|
There are two problems with it:
1. Some Email clients send an invisible(for the user) HTTP GET first, to determine the mimetype of the resulting answer, and afterwards open either a browser or a dedicated application (Acrobat Reader, ...) and give it the URL.
This results in the first unvisible request being accepted by CAcert, and the second visible one resulting in an unspecific Error message, which says that the Email Ping was already acknowledged.
The workaround is to copy the URL from the Email, and open it manually in a Browser.
Additionaly it can be reproduced with a single-request Browser by Refreshing the page (press F5 or Alt+R)
Refreshing a HTTP GET page generally should not result in an error message, according to the HTTP standard RFC.
2. There is no authentication for the HTTP GET page, which has the result that anyone can confirm an EMail Ping without having a CAcert account.
Now if someone wants to get a certificate for someone else´s email address, he just has to continuously send Email Pings, until that person somewhen clicks on the Link by accident or curiousity. Just clicking the link is enough for the first person to get a CAcert certificate for the email address.
|Additional Information||Proposed fix:|
We have several possibilities:
* We could only provide the HASH in the EMail, which has to be Copy&Pasted into a form field that is only available in a logged in session.
* Email Ping URL -> click -> "Thanks for submitting the Email Ping. Please login to activate it" -> Login -> "Thank you, your Email Ping was successfully activated now".
What will not work:
* Demanding a https://secure.cacert.org/ login. (The user needs the Email Ping to get a certificate with which he can login ;-)
|Tags||No tags attached.|
when adding an e-mail account, a message is sent to that account. The recipient then just has to click the link and the e-mail account will get the status verified.
This verfication method is very insecure, because a CAcert member could try to verify another person's e-mail account as his own. If that other person never heard about CAcert, he will be surprised when he receives the e-mail with the confirmation link. That e-mail message does not contain any information about misuse. Therefore it is is very likely that the recipient will click the link to find out what this message is about - thereby confirming the account for the attacker.
I propose that additional information regarding misuse is included in the confirmation message. Further, just clicking the link should not suffice. I think it is safer if one additionally has to enter his password or present a certificate to get authenticated. This prevents a third party from accidentally confirming the e-mail account for another person.
This case is a bit tricky and may lead to other problems aswell. For example phisher could use such verification emails/links to steal other peoples CAcert passwords.
I'd recommend to send out an email like that:
You requested to connect the following domain or email address to your CAcert Account:
This email was sent to you, to find out if you really own that domain or email address. Please click on the following link. There you can choose whether to add it to the CAcert database or not. On that page you can also notify the CAcert Support if someone missued your email address or domainname.
Please close your browser window after you decided what to do! Never provide your username or password to a website that was sent to you by email. Beware of phisher who sent you fake links to steal your password!
I see no reason why the user should login. Clearly saying "YES, add my domain", "NO, do not add my domain" and "NO, do not add my domain but notify support" should be sufficiant.
||Added extra handling in verify.php...|
|2005-09-07 18:14||Sourcerer||New Issue|
|2005-12-02 11:39||evaldo||Relationship added||related to 0000045|
|2006-01-06 01:51||Sourcerer||Note Added: 0000073|
|2006-01-06 01:52||Sourcerer||Status||new => needs work|
|2006-01-06 01:52||Sourcerer||Assigned To||=> duane|
||Note Added: 0000201|
|2006-08-14 04:14||duane||Status||needs work => solved?|
|2006-08-14 04:14||duane||Fixed in Version||=> production|
|2006-08-14 04:14||duane||Resolution||open => fixed|
|2006-08-14 04:14||duane||Note Added: 0000419|
|2007-10-24 06:19||evaldo||Assigned To||duane =>|
|2007-10-24 06:19||evaldo||Status||solved? => closed|
|2013-01-13 15:04||Werner Dworak||Fixed in Version||=> 2006|
|2013-11-20 22:23||NEOatNHNG||View Status||private => public|