I was reading Holden Karau's blog this morning and he discusses discovering that Yahoo's Zimbra Desktop exposes plain text authentication credentials when authenticating with a Yahoo! IMAP server. Holden stumbled across this while working on a spam mail filter project during the Yahoo! sponsored HackU project at Waterloo University. He needed an IMAP server, which Yahoo! didn't appear to have or at least allow access to via the standard Yahoo! Mail service. However, he later discovered that Yahoo! did indeed expose IMAP servers to certain clients as that's exactly what Zimbra Desktop was using. Yahoo! acquired Zimbra, a messaging and collaboration company in September of 2007. While sniffing traffic to determine how Zimbra Desktop was authenticating to the server, he was surprised to see that the connection did not leverage SSL. Credentials were passed in plain-text, available to anyone with access to the traffic.
Curiosity got the best of me and I decided to see if the issue had been addressed. After all, the post was picked up by Slashdot, which means that it was seen by a fairly broad audience. This morning I installed the latest iteration of Zimbra Desktop 0.90 (build 1278) and sure enough, as can be seen in the Wireshark screenshot, the username (zscaler2008) and password (cloudsecurity) of my test account was sent unencrypted.
Passing plain-text authentication credentials is hardly a new or even interesting threat, but it got me to thinking. A significant challenge for cloud computing requires building trust. We're moving from a world where everything related to IT is controlled by the enterprise, to one where we heavily rely on outside entities. Whether enterprises adequately leverage their control to properly mitigate risk or not, at least they know they have it. Afterall, I may not know how to manage a server, but if it's in my data center, at least I can always reboot it. Webmail is perhaps the most mature cloud computing application and we see here that adequate security, even for a player the size of Yahoo!, still is not a given.
Cloud based applications allow us to defer the pain and headache of maintenance and security to others, but in doing so, we place trust third parties. If SaaS players fail to build an adequate level of trust, or squander it once it has been achieved, they will be destined to fail.
- Guilty Until Proven Innocent - Place the burden of proof on your SaaS vendor. It's up to them to gain your trust and prove that they have adequate security in place. Insist that they provide details of their architecture, internal security procedures and perhaps third party audit reports such as a SAS 70.
- Is the Whole the Sum of It's Parts? - When the solution is cobbled together from multiple partners, it increases the likelihood that security will slip through the cracks. In the case of the Zimbra Desktop example above, Zimbra was acquired through an acquisition and it's clear that security was not adequately reviewed/integrated.
- A chain is Only as Strong as It's Weakest Link - In this case, the vulnerability does not exist in the Yahoo! webmail cloud, but rather in the Yahoo! provided client used to connect to the cloud. Cloud computing extends your network, connecting it to third party resources. Security is required at all nodes - in the third party data centers, in your local LAN and in the connections between the two. One weak link, breaks security in the system as a whole.