evolution calendar does not check SSL certificates
Bug #933659 reported by
Vreixo Formoso
This bug affects 3 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
evolution-data-server |
Fix Released
|
Critical
|
|||
evolution-data-server (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
evolution-data-server (openSUSE) |
Won't Fix
|
High
|
Bug Description
When using a google calendar in evolution, evolution uses HTTPS. However, certificate correctness is not checked. Using a tool like sslsniff allows to capture user name and password. Given the calendar is periodically updated, it is trivial for an attacker to retrieve user private data when connected to the same local network.
Changed in evolution-data-server (Ubuntu): | |
status: | New → Confirmed |
Changed in evolution-data-server: | |
importance: | Unknown → Critical |
status: | Unknown → Fix Released |
Changed in evolution-data-server (openSUSE): | |
importance: | Unknown → High |
status: | Unknown → Confirmed |
Changed in evolution-data-server (Ubuntu): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in evolution-data-server (Ubuntu): | |
assignee: | Marc Deslauriers (mdeslaur) → nobody |
Changed in evolution-data-server (openSUSE): | |
status: | Confirmed → In Progress |
Changed in evolution-data-server (openSUSE): | |
status: | In Progress → Won't Fix |
To post a comment you must log in.
It seems a libsoup bug.