8

I was experimenting with an email python script and was wondering if when writing a python-based email script is it is less secure as opposed to when credentials are send over the internet when logging into a web page? In the following script, are the user and pass in the clear?

import smtplib
from email.mime.text import MIMEText

GMAIL_LOGIN = 'xxxxxx@gmail.com'
GMAIL_PASSWORD = 'amiexposed?'

def send_email(subject, message, from_addr=GMAIL_LOGIN, to_addr=GMAIL_LOGIN):
    msg = MIMEText(message)
    msg['Subject'] = 'Test message'
    msg['From'] = from_addr
    msg['To'] = to_addr

    server = smtplib.SMTP('smtp.gmail.com',587)
    server.ehlo()
    server.starttls()
    server.ehlo()
    server.login(GMAIL_LOGIN,GMAIL_PASSWORD)
    server.sendmail(from_addr, to_addr, msg.as_string())
    server.close()

if __name__ == '__main__':
    send_email('testing email script', 'This is a test message')
glglgl
  • 89,107
  • 13
  • 149
  • 217
Kryptos
  • 391
  • 4
  • 10
  • 2
    One thing to watch out for - and somewhat of a nitpick - if you don't pass a key/cert pair to starttls, I don't think it validates the SSL signing chain which means someone could put a fake SSL server up and posion your DNS and you could SSL connect to them and give them your credentials. However unlikely this may be it's worth pointing out as a neckbeard performing a code-review will ding you for it. By default Python will just initiate an SSL connection with a signed or unsigned cert on the remote end. Convenient during development, less awesome in production. – synthesizerpatel May 22 '13 at 08:11
  • Just to clarify synthesizerpatel reply, I want to confirm that what he is describing is a man in the middle attack and not necessarily an attack where credentials were captured from the above script by a user and login being sent in the clear (which would just boil down to packet sniffing). Is that correct? – Kryptos May 23 '13 at 02:11
  • Also, what would be the code to include a keyfile and certfile to prevent the attack as described by synthesizerpatel? I see from http://docs.python.org/3.2/library/smtplib.html that it can be included but there are no examples. And another question. If I manually entered each of these lines in a terminal window, what layer of the OSI is that as opposed to an application layer if I send email through a mail client like thunderbird. – Kryptos May 23 '13 at 02:19
  • 1
    Is the password sent clear if starttls() is not invoked beforehand? – FlorianL Jan 05 '19 at 22:57

1 Answers1

5

That would entirely depend how the TLS connection is set up. If you are requiring valid certificates (I believe if a certificate which is not trusted is encountered, your startTLS method will throw an exception (I'm not sure you should verify this)). But considering you are setting up TLS, and sending everything over the TLS connection, everything should be encrypted. This means neither your password, username or even your message and addressees will be sent in plain text.

So no, your username and password are not send clear.

Lucas Kauffman
  • 6,789
  • 15
  • 60
  • 86
  • Just a quick question for which I would not like to open another topic: Is the password sent clear if starttls() is not invoked beforehand? – FlorianL Jan 06 '19 at 10:24