I have not done testing, but it's come to my attention that 2FA does 0 checks to make sure that your outgoing SMTP server is using an SSL meaning that 2FA codes could potentially be sent in clear-text over SMTP which correct me if I am wrong can easily be sniffed and parsed if you know what ports to sniff while you press 'send code' and if you're sniffing after you get passed the login verifying that the login information is indeed correct.
I will say this again, for a proper secure 2FA you should have the 2FA field in the login page regardless of the package being installed and regardless of being already logged in. This way you can place a generic 'incorrect information' response instead of allowing an attacker to know that 1 the password is correct and 2 knowing that there is 2FA even enabled.
Having 2FA on the primary login regardless of it actually being installed and enabled along with a generic canned response will deter attackers from progressing further into your system as they will not know if the password is wrong and possibly scared off at the fact that there is 2FA unless they know that it's SMTP 2FA at which point they can sniff the unencrypted mail ports to see if 2FA codes are sent over clear-text.
Oh yeah and it should do checks and prevent enabling 2FA without the SMTP set up and using SSL not just as long as it's working. You need to focus on security; you're a gateway product.
Thanks again.
~Jayli
P.S. 3 years and nothing done about the one exploit. https://www.clearos.com/clearfoundation/social/community/2fa-is-flawed
I will say this again, for a proper secure 2FA you should have the 2FA field in the login page regardless of the package being installed and regardless of being already logged in. This way you can place a generic 'incorrect information' response instead of allowing an attacker to know that 1 the password is correct and 2 knowing that there is 2FA even enabled.
Having 2FA on the primary login regardless of it actually being installed and enabled along with a generic canned response will deter attackers from progressing further into your system as they will not know if the password is wrong and possibly scared off at the fact that there is 2FA unless they know that it's SMTP 2FA at which point they can sniff the unencrypted mail ports to see if 2FA codes are sent over clear-text.
Oh yeah and it should do checks and prevent enabling 2FA without the SMTP set up and using SSL not just as long as it's working. You need to focus on security; you're a gateway product.
Thanks again.
~Jayli
P.S. 3 years and nothing done about the one exploit. https://www.clearos.com/clearfoundation/social/community/2fa-is-flawed
Share this post:
Responses (1)
-
Accepted Answer
2FA uses postfix for sending e-mails and, AFAIK, postfix will always try to send e-mails over SSL - see smtp_tls_security_level=may in /etc/postfix/main.cf.
In terms of the other issues, 2FA is a third party app but their developers are not doing any development of their packages any more. If anyone wants to patch the program they are welcome to. Either create a merge request or point me to the updated files for me to merge and push through the build system.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »