Closed
Bug 225809
Opened 21 years ago
Closed 21 years ago
Don't fall back to insecure authentication if "use secure authentication" is checked
Categories
(MailNews Core :: Networking: IMAP, defect)
MailNews Core
Networking: IMAP
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: lorenzo, Assigned: lorenzo)
References
Details
Attachments
(1 file, 3 obsolete files)
3.74 KB,
patch
|
lorenzo
:
review+
lorenzo
:
superreview+
asa
:
approval1.6b+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6b) Gecko/20031115 Firebird/0.7+ ((01) - Mike Tigas (Nova); MNG,DOMi,Venkman; G6;) Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6b) Gecko/20031115 Firebird/0.7+ ((01) - Mike Tigas (Nova); MNG,DOMi,Venkman; G6;) If "use secure authentication" is turned on in the account settings, mozilla tries to login using CRAM-MD5, and if it fails it falls back to an insecure login, sending the plaintext password. This can happen, for example, if mozilla exceeds the maximum number of connections permitted my the server, if it tries to connect when the mailbox is locked or the server is having problems, or if the user mistypes the password. In all these cases retrying with plaintext authentication will not help and using it defeats the purpose of secure authentication, which is to avoid sending the password over the wire. Since we have UI to turn secure authentication on and off, and secure auth is off ny default, I propose that the secure authentication checkbox change meaning from "try to use secure auth and fall back to plain text if it fails" to "use secure auth only". The UI could be changed to read "Require secure authentication" or "Use secure authentication only". I can do this if people agree that it's a good idea. Reproducible: Always Steps to Reproduce: 1. Turn on secure authentication for a mailnews account 2. Mistype one character in the password Actual Results: Mozilla retries using plaintext authentication, which of course fails. An attacker armed with a sniffer can probably figure out your password by removing your typo. Expected Results: Mozilla should not retry. You have told it to use secure auth only, and that is what it should use.
Assignee | ||
Comment 1•21 years ago
|
||
Assigning to myself. mscott, if I write the code, will you review this?
Status: NEW → ASSIGNED
Comment 2•21 years ago
|
||
Lorenzo, are you talking about IMAP or POP3 or both?
Assignee | ||
Comment 3•21 years ago
|
||
So far I've only looked at the code for IMAP, since that's what I use, and it looks like a simple fix could be trivial. But perhaps we should change the behaviour for POP as well (especially if we change the UI), and I haven't looked at that code yet.
Comment 4•21 years ago
|
||
Er, POP3 code already only tries secure mechanisms if "use secure authentication" is on and vice versa. See the if on http://lxr.mozilla.org/seamonkey/source/mailnews/local/src/nsPop3Protocol.cpp#1446.
Assignee | ||
Comment 5•21 years ago
|
||
Sorry, I was just reading the code now. I was looking at POP3_AUTH_FALLBACK and thought that the code would fall back to plaintext auth in case CRAM-MD5 failed. So you're sure that POP doesn't fall back to plaintext auth in case secure login fails? If that is so, I guess that means the UI is already wrong for POP3, and that IMAP needs to be fixed so it doesn't fall back either. :-)
Comment 6•21 years ago
|
||
No, it really shouldn't fall back to plaintext if secure is on. At least that's what I coded and what my tests showed. Why is the UI wrong? "Use secure authentication" uses secure authentication. Ok, adding an only would be possible. But users can interpret this as Mozilla uses secure and unsecure if unchecked - so that only unsecure is toggled.
Assignee | ||
Comment 7•21 years ago
|
||
Really taking.
Assignee: sspitzer → lorenzo
Status: ASSIGNED → NEW
Component: Security: General → Networking: IMAP
Assignee | ||
Comment 8•21 years ago
|
||
Patch that disables fallback to insecure auth for IMAP. If "use secure authentication" is checked and the server does not support CRAM-MD5, an alert appears, the user is not prompted for a password, and the login does not proceed. Note that if the server claims to support CRAM-MD5, we will try to use it regardless of the "use secure authentication" setting. This is different from what the POP code does, but it required the least changes, and I think it's also a better choice, since we already do fallback to insecure login. bienvenu, can you look at the code and see if you like it?
Assignee | ||
Updated•21 years ago
|
Status: NEW → ASSIGNED
Assignee | ||
Comment 9•21 years ago
|
||
This patch is better: we don't fall back to insecure login if the user mistypes the password. Also, it tries CRAM-MD5 first if the server supports it, even if "use secure authentication" is off. If it fails, it falls back to plaintext auth.
Attachment #135671 -
Attachment is obsolete: true
Assignee | ||
Comment 10•21 years ago
|
||
So, to summarize: If "use secure authentication" is off: - If server supports CRAM, moz tries CRAM and falls back to plaintext on failure - If server doesn't support CRAM, moz uses plaintext If "use secure authentication" is on: - If server supports CRAM: moz tries CRAM only (no fallback) - If server doesn't support CRAM: moz warns the user and does not login
Assignee | ||
Comment 11•21 years ago
|
||
Comment on attachment 135676 [details] [diff] [review] patch v1 bienvenu, can you look at this? It seems reasonable to me, and I haven't seen any ill effects yet.
Attachment #135676 -
Flags: review?(bienvenu)
Comment 12•21 years ago
|
||
Comment on attachment 135676 [details] [diff] [review] patch v1 this looks OK, thx
Attachment #135676 -
Flags: review?(bienvenu) → review+
Assignee | ||
Comment 13•21 years ago
|
||
Comment on attachment 135676 [details] [diff] [review] patch v1 Requesting sr. mscott, if you like it, can you check it in? I don't have CVS access.
Attachment #135676 -
Flags: superreview?(mscott)
Assignee | ||
Comment 14•21 years ago
|
||
This is the same as patch v1, except that the error message that appears if you configure secure auth and then log in to a server that doesn't support it is (hopefully) more user friendly.
Comment 15•21 years ago
|
||
If the server supports secure authentication but the login fails, wouldn't that mean that the password was wrong (or, if there was some other problem such as those described in the report, it presumably wouldn't work any better with a plain-text password), so Mozilla shouldn't fall back to plain text?
Assignee | ||
Comment 16•21 years ago
|
||
Re comment #15, plaintext auth is needed because some servers say they support secure auth but don't implement it properly. On these servers, secure auth fails but plaintext auth using the same password succeeds.
Comment 17•21 years ago
|
||
Comment on attachment 135915 [details] [diff] [review] same patch with revised error message I'd suggest shortening the alert message to: You cannot log in to %S because you have enabled secure authentication and this server does not support it.\n\nTo log in, turn off secure authentication for this account. carrying forward the review flags.
Attachment #135915 -
Flags: superreview+
Attachment #135915 -
Flags: review+
Assignee | ||
Comment 18•21 years ago
|
||
Patch with revised error message as per mscott's comments.
Attachment #135676 -
Attachment is obsolete: true
Attachment #135915 -
Attachment is obsolete: true
Assignee | ||
Updated•21 years ago
|
Attachment #135676 -
Flags: superreview?(mscott)
Assignee | ||
Comment 19•21 years ago
|
||
Comment on attachment 136279 [details] [diff] [review] patch addressing mscott's comments Carrying forward r= and sr=
Attachment #136279 -
Flags: superreview+
Attachment #136279 -
Flags: review+
Assignee | ||
Comment 20•21 years ago
|
||
Comment on attachment 136279 [details] [diff] [review] patch addressing mscott's comments Nominating for 1.6b. It's a very simple patch with no heavy lifting (just code refactoring) so it should be low risk. It also improves security, what more can you want? :-)
Attachment #136279 -
Flags: approval1.6b?
Comment 21•21 years ago
|
||
Comment on attachment 136279 [details] [diff] [review] patch addressing mscott's comments a=asa (on behalf of drivers) for checkin to 1.6b.
Attachment #136279 -
Flags: approval1.6b? → approval1.6b+
Assignee | ||
Comment 22•21 years ago
|
||
Look like this is ready to go. Can someone check it in?
Comment 23•21 years ago
|
||
checked in.
Status: ASSIGNED → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Comment 24•21 years ago
|
||
Lorenzo, it looks like this patch is causing problems for users. See: http://forums.mozillazine.org/viewtopic.php?p=278225#278225 and http://forums.mozillazine.org/viewtopic.php?p=278257#278257 seems like without some user intervention, some users are no longer able to check mail.
Assignee | ||
Comment 25•21 years ago
|
||
mscott: it looks like the problem is due to users having checked "use secure authentication" checkbox when their server does not support it. Before, they were falling back to insecure auth, but now they can't. Unfortunately, this is precisely the issue that this patch is designed to solve. If I remember correctly, secure auth was never on by default so the user must have turned it explicitly for this to happen. So we're talking about power users here. I see three possibilities (plus of course 4. back it out or 5. do nothing): 1. Document this in the release notes so the power users, who are the only ones likely to have turned this on, are warned about the possible problem. 2. Provide an easy way to turn off secure auth from the dialog box that appears. This would require more code, of course. 3. Deprecate the old pref and create a new one which defaults to false. It would probably also help to change the label of the checkbox to "require secure authentication" or "use secure authentication only" since that is what we are really doing both for POP and for IMAP. Personally I would prefer #1, but #2 might also make sense. I don't like #3 at all. Do you think it would be enough to put it into the release notes?
Comment 26•21 years ago
|
||
Ok, we can try to focus on (1) in our release notes.
Comment 27•20 years ago
|
||
*** Bug 263000 has been marked as a duplicate of this bug. ***
Updated•20 years ago
|
Product: MailNews → Core
Updated•16 years ago
|
Product: Core → MailNews Core
You need to log in
before you can comment on or make changes to this bug.
Description
•