Closed
Bug 1467835
Opened 6 years ago
Closed 4 years ago
TLS authentication should NOT allow PLAIN text authentication as fallback
Categories
(Thunderbird :: Security, defect)
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: jeff, Unassigned)
Details
Attachments
(1 file)
13.73 KB,
text/plain
|
Details |
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0
Build ID: 20180605171542
Steps to reproduce:
Using v52.8.0 (32-bit) of Thunderbird
Setup mail account using both POP3 server on Port 995 and SMTP server on Port 465.
And set Authentication to either SSL/TLS or STARTTLS with Normal Password
Actual results:
Logs show that authentication/connection is occuring in PLAIN text and username and password are exposed.
See attached log files, using SSL/TLS Authentication setting.
Expected results:
I have an expectation that when I set Authentication to use SSL/TLS or STARTTLS that this will occur securely and not in plain text.
There should be either
(1) no fallback allowed to PLAIN text authentication when SSL/TLS or STARTTLS are choosen, or
(2) there should be an option with prompt asking to confirm whether or not to continue with PLAIN text authentication when secure authentication fails.
Updated•4 years ago
|
Flags: needinfo?(mkmelin+mozilla)
Comment 1•4 years ago
|
||
Sorry, you're confusing concepts. If you're using TLS the connection is secure. The authentication mechanism can then very well be "plain" without any loss of security: the outer layer is already securing you.
Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Flags: needinfo?(mkmelin+mozilla)
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•