Beware the Transparent Proxy…Your Faith In VPNs Might Waiver
Aviram from the Securiteam blog wrote a post titled "Who's Your SMTP Daddy?" that caught my eye regarding the false sense of security that use of corporate IPSec VPNs brings to traveling road warriors due to the use by providers of so-called transparent proxies.
Let's say that you've got some sort of IPSec VPN solution installed on your laptop using the standard corporate configuration with your mail client pointing to mail.foo.com. Your machine has AV, HIPS, firewall, etc.
You connect to a provider's network (wired, wifi, hotel, airport, etc…) and fire up your VPN client which authenticates just fine. You then launch your mail client and type a quick note to your CEO about the confidential M&A project you're working on. A few minutes later you get a response from your CEO to proceed with the tender.
Here's the problem: that SMTP session you thought was encrypted through your VPN back to the corporate mail server was actually sent in the clear. In fact, it wasn't even sent through your mail relay/server.
Here's a great example of why taken from Aviram's blog:
my VPN (as some of them do) but happily resolves any unresolvable host
name (such as my SMTP server’s hostname). This is resolved to a
catch-all server that proxies everything. Transparently. (well, almost)
Lesson learned. Changed the hostname to the IP, and will soon switch
to SSL based SMTP who will authenticate the server. In the meanwhile –
be careful from helpful Beijing wifi providers who are only too happy
to forward your mail on! (with some changes, of course).
Aviram is in China, but this example is valid in many countries and you can probably expect that given the behavior of some domestic ISP's, Telcos and Mobile Operators that it is or will go on here too. It could easily work with other protocols that aren't sensitive to session tampering/MITM.* Further, Aviram's example was about interception. There's every reason to believe that one could expect the content of your email to be modified also…
I personally use SSL authenticated SMTP with valid issued certificates so at least if there is tampering with my session, my mail client barfs letting me know something is wrong. That error probably wouldn't help the average sales droid in the field as he/she would just click OK like most people do to any security error that pops up, but it's worth considering.
* Obviously this example presents a worst case scenario with certain configuration assumptions and license taken for illustration, but take the message for what it's intended: blind faith in VPNs can cause you some serious heartache. Transparent proxies work very well…