EWS: Blanket SSL Error Ignore undermines security
Steps
- Create a new Exchange account in GOA
- Prompted for an untrusted certificate, click ignore
- set up a
mitmproxy
or use any network with a nefarious actor intercepting TLS sessions
Actual Behaviour
- evolution-ews connects to any EWS and blindly accepts whatever certificate is presented, exposing credentials and confidential information to those actors
- Nothing is not just not logged or shown to the user informing them their security is not just gone, but actively and silently undermined
- No option to revise the trust choice for this EWS account
Expected Behaviour
- evolution-ews should trust only the certificate/CA presented at the time the account was created, or on a single conenction attempt where the user can confirm the certificate configuration is safe
- Some notification in logs or preferably in UI notifying the user that an exception to the certificate trust is happening. Compare Firefox when an exception is provided: Both a symbol in the address bar, and an explanation of why the condition is present: .
- A mechanism (right-click menu, account config) to reset/revise the certificate trust exception.
Analysis
Accepting a single bad TLS certificates for EWS might be tolerable, especially when the regular service is presented on a private PKI. Silently accepting all errors and not notifying the user in any way is fundamentally dangerous, as the user has no way to evaluate the security of the application and connectivity, and further has no mechanism to revise these settings short of tearing down the entire account and recreating it.
User should first be given the tools to diagnose and correct the error (#46 is a first step), but if an exemption from validation is required it should be for a specific issuer, not ignoring all SSL errors for all time. Exempting the service from all checks should be a last resort and strongly discouraged.
Seen in evolution-ews 3.26.6 and goa 3.28.1