EWS: Blanket SSL Error Ignore undermines security
- Create a new Exchange account in GOA
- Prompted for an untrusted certificate, click ignore
- set up a
mitmproxyor use any network with a nefarious actor intercepting TLS sessions
- evolution-ews connects to any EWS and blindly accepts whatever certificate is presented, exposing credentials and confidential information to those actors
- Nothing is not just not logged or shown to the user informing them their security is not just gone, but actively and silently undermined
- No option to revise the trust choice for this EWS account
- evolution-ews should trust only the certificate/CA presented at the time the account was created, or on a single conenction attempt where the user can confirm the certificate configuration is safe
- Some notification in logs or preferably in UI notifying the user that an exception to the certificate trust is happening. Compare Firefox when an exception is provided: Both a symbol in the address bar, and an explanation of why the condition is present: .
- A mechanism (right-click menu, account config) to reset/revise the certificate trust exception.
Accepting a single bad TLS certificates for EWS might be tolerable, especially when the regular service is presented on a private PKI. Silently accepting all errors and not notifying the user in any way is fundamentally dangerous, as the user has no way to evaluate the security of the application and connectivity, and further has no mechanism to revise these settings short of tearing down the entire account and recreating it.
User should first be given the tools to diagnose and correct the error (#46 is a first step), but if an exemption from validation is required it should be for a specific issuer, not ignoring all SSL errors for all time. Exempting the service from all checks should be a last resort and strongly discouraged.
Seen in evolution-ews 3.26.6 and goa 3.28.1