+Trello recently changed the protocol of the iCalendar feed URI that they provide in their Calendar power-up.
Previous feed format:
New:
This changes how a Calendar clients retrieves the calendar feed. If using webcal, the client will query the host over HTTP with the full feed URI (Just changing webcal to http). Trello responds with a 302 pointing to the same URI, but with the protocol replaced with https.
Observing network traffic in Wireshark:
It is trivial for anyone in control of the network or any passive attacker on a wireless network to retrieve the same and get full read-only access to all cards on a board that has the power-up enabled and is marked with a date. With the new feed (using https), no communication takes place in the clear.
This is more of a limitation of the webcal protocol that doesn't have any way to specify secure communication. I suggested replacing webcal with https as it worked for the client I tested with (Calendar.app on OSX), but this would probably need testing with other Calendar clients before being pushed as a fix.
I reported this on 2015/5/1 at 06:30 EST.
First (human) response: 2015/5/1 14:27 EST.
Acknowledging issue: 2015/5/1 14:43 EST - Saying issue was previously reported and fix was expected sometime this week.
Fixed: 2015/8/1 09:07 EST - webcal replaced with https.
+1 for Trello security.
Previous feed format:
webcal://trello.com/calendar/abc/def/ghi.ics
New:
https://trello.com/calendar/abc/def/ghi.ics
This changes how a Calendar clients retrieves the calendar feed. If using webcal, the client will query the host over HTTP with the full feed URI (Just changing webcal to http). Trello responds with a 302 pointing to the same URI, but with the protocol replaced with https.
Observing network traffic in Wireshark:
It is trivial for anyone in control of the network or any passive attacker on a wireless network to retrieve the same and get full read-only access to all cards on a board that has the power-up enabled and is marked with a date. With the new feed (using https), no communication takes place in the clear.
This is more of a limitation of the webcal protocol that doesn't have any way to specify secure communication. I suggested replacing webcal with https as it worked for the client I tested with (Calendar.app on OSX), but this would probably need testing with other Calendar clients before being pushed as a fix.
Response timeline.
First (human) response: 2015/5/1 14:27 EST.
Acknowledging issue: 2015/5/1 14:43 EST - Saying issue was previously reported and fix was expected sometime this week.
Fixed: 2015/8/1 09:07 EST - webcal replaced with https.
+1 for Trello security.
No comments:
Post a Comment