Thursday, July 5, 2007

Dissecting the GoDaddy email notifier - Part 1

I host at GoDaddy. Yes, yes, I know there have been horror stories and there is even a site that lists incidents involving the shutting down of some sites with little or no warning; but they're dirt cheap and I'm poor so...

Anyway, GoDaddy has this email notifier which will check your mailbox to see if you've got new mail without logging into the horribly slow Web Based email client. It's fairly convenient, but only installs on Windows. I wanted to do two things with this notifier:

1.See how safely it actually kept my credentials.
2. See how it communicated with the server and if it was secure as well.

I then wanted to see how easy it was to have a version written for Linux so that I can use it on my Ubuntu box.

I don't know how many of you have nodded off by now and how many of you wondering why I even bother. The truth is, its important to me, its my blog and it will also hopefully enlighten you on how you can go about conducting an analysis on a network application. In this regard, this is what I will be doing with this application:

1. Examining the communication between notifier and server
2. Identifying how the credentials are stored and if they are encrypted
3. Attempting to decrypt the credentials if it proves easy to do so
4. Writing my own Linux version of the tool. Either a Gnome Applet or Firefox Extension (whichever is easier)

Since this will be an ongoing saga of sorts, I will break it down into several posts for managability's sake. It also gives me time to conduct my research and publish the findings without waiting till the end.

Right, let's begin...

As with all applications, I downloaded and installed the tool. The notifier is in the form of a small envelope that sits in your taskbar . You can configure it to check up to 5 email addresses and specify such settings as duration between email checks, how long to display messages for and how many new messages to display in a small popup window. All fairly simple.

My first order of business is to check how the tool communicates with the server. So I fire up Wireshark and sniff a few packets. Immediately, it is apparent that the tool uses SSL. Points for GoDaddy. No casual sniffing can be done. This puts a dent in my plans of attempting to write a Linux version. How can I write one, when I don't know what it says to the server? I can always try an MITM SSL sniffing exercise. The idea for this one is as simple as this:



This can all be achieved by using stunnel and the replug tool found in Matasano's BlackBag. As a matter of fact, Dave Goldsmith has an article on the Matasano Blog about how he did this for a Java Application. In his case, it was a fairly easy workaround to bypass the certificate validation. I don't know how easy it will be for this specific application. But I'm getting ahead of myself. Join me for the next post where I setup the stunnel/replug proxy chain, discover if proper certificate validation is done and look for a way around the SSL communication.

No comments: