Security concerns

Is it generally safe to send and check my emails with say, nPOPuk on a CE 5 device? I'm worried about my credentials being intercepted somehow or other security issues, does anyone know the reality of the situation?

If you are using SSL/TLS and are receiving/sending mail, then yes, perfectly.

If you are not, then that is not a security issue or limitation of nPOPuk. That's just you sending your password in clear text. Yes, technically it is possible for the ISP or anyone monitoring traffic to the ISP to discover your password if you are not using SSL/TLS. How likely that is... probably not, but you can never say never.

The best example of where it can go wrong is probably if you use it over public/free wifi or on a connection where someone has omnipresent control to monitor traffic flows - say a work network or at a friends house where they have a router that has been compromised or the router has plain been hacked to log traffic.

I appreciate the reply. I was worried using such an old CE version for such a purpose could be unsafe. Especially since there's a large amount of expired certificates on the devices. Would that have any influence..?

While I have not checked the source code, I suspect that nPOPuk organises its own roots - otherwise the app would never work on any device for anyone and we'd hear a lot more complaints.

I know that the npopuk/google certificates no longer work in HPC2000. Form hpcfactor, I pm-ed the wondrous developer, but that was a couple of years ago and it's still in my Outbox.

Jake

I’m not sure if it’ll help but I’m willing to contribute a donation for their time but obviously if it’s a lot of work / other things going on, I totally respect that.

I had a look at the source code. It isn't a root certificates issue.

Quite simply nPOPuk doesn't validate the certificates. The callback function auto approves any certificate as valid

 
// Dummy SSL Certificate checker - we're not interested if Server cert. is valid! 

int CALLBACK SSLValidateCertHook(DWORD dwType, LPVOID pvArg, DWORD dwChainLen, LPBLOB pCertChain, DWORD dwFlags) 

{  

    return SSL_ERR_OKAY;  

}  

#endif 

It uses openSSL 1.0.2m, which Google purports to support SHA2, so it isn't that.
Chances are that Google just requires OAuth and no longer allows basic auth. Most providers are heading that way. Google can issue application passwords though to bypass it.

Is that a security risk..?

Yes. It allows anyone to present any public key certificate - self signed or otherwise. That would allow for the impersonation of the server (I can create a certificate for mail.google.com and it'll accept it) and it prohibits the possibility for revocation of compromised private keys.

Presumably it does honour certificate expiration; although I did not check.

There is a CVE for OpenSSL 1.02 to 1.02y. (CVE-2021-3712)

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3712

Not sure if this will affect nPOPuk, but might be worth checking out.

Edited by stingraze 2022-08-14 2:13 AM

Yup, as it is running 1.0.2m, it is impacted. Would need a recompile and a version bump.