Now that auto-discovery has been implemented - ref #102 - there is a security risk that if the DNS is highjacked, a user may be sent to a server controlled by an attacker, causing the password to be leaked.
The proper mitigation of this attack is to do a DNSSEC validation, but for one thing DNSSEC is not that widely adopted, for the other thing it has proven slightly non-trivial to do DNSSEC validation in the caldav library (the AI had two shots at it in #572). (Better authentication schemes than a simple password could also help).
The AI suggested to enforce TLS and certificate validation by default. That could work out, except for a small detail - if the attacker controls the DNS and sends the user to caldav.evil.hacker.xxx, which does have a valid certificate, then the certificate check won't help.
In the absence of DNSSEC, I think it's needed to validate that the auto-discovered domain matches the domain requested. If one tries visiting myorg.example.com, then calendar-server-32.myorg.example.com and myorg.example.com should be OK, while evil-hacker.example.com obviously isn't OK.
Now that auto-discovery has been implemented - ref #102 - there is a security risk that if the DNS is highjacked, a user may be sent to a server controlled by an attacker, causing the password to be leaked.
The proper mitigation of this attack is to do a DNSSEC validation, but for one thing DNSSEC is not that widely adopted, for the other thing it has proven slightly non-trivial to do DNSSEC validation in the caldav library (the AI had two shots at it in #572). (Better authentication schemes than a simple password could also help).
The AI suggested to enforce TLS and certificate validation by default. That could work out, except for a small detail - if the attacker controls the DNS and sends the user to caldav.evil.hacker.xxx, which does have a valid certificate, then the certificate check won't help.
In the absence of DNSSEC, I think it's needed to validate that the auto-discovered domain matches the domain requested. If one tries visiting myorg.example.com, then calendar-server-32.myorg.example.com and myorg.example.com should be OK, while evil-hacker.example.com obviously isn't OK.