Re: Um, spoofing a web server?
No, what they mean is a web server that is in the same domain, as in .mydomain.com as the mail server.
This vulnerability requires the attacker to take control of a webserver in the same domain. They then need to setup a site or just compromise a current site that is secured by SSL/TLS, as it requires the connection to be secured for the password to be sent. This occurs because the domain is trusted, like all the other sites that are in your domain that are trusted to take your credentials.
This isn't really a fault with the protocol, it could be reduced by limiting the urls that it will send the passwords to, but then you would have to setup all of those destinations to ensure one isn't taken by an attacker. You could also reduce the chances by only sending the u/p to the server that matches a specific certificate only, but that would require the client to confirm that the certificate is the correct one, which would just be clicked through anyway.
The only real way is to just not trust your own domain for this to be fixed, which well, you don't want to do.
If it was possible to fix this then you could just compromise that corp site that most likely requires authentication and then taking the u/p from the users that connect to that site instead. Which leads back to what the real problem is, that website was able to be compromised.
Biting the hand that feeds IT
