Closed Bug 1467835 Opened 6 years ago Closed 3 years ago

TLS authentication should NOT allow PLAIN text authentication as fallback

Categories

(Thunderbird :: Security, defect)

52 Branch
defect
Not set
normal

Tracking

(Not tracked)

RESOLVED INVALID

People

(Reporter: jeff, Unassigned)

Details

Attachments

(1 file)

Attached file POP3_SMTP_log.txt
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0
Build ID: 20180605171542

Steps to reproduce:

Using v52.8.0 (32-bit) of Thunderbird

Setup mail account using both POP3 server on Port 995 and SMTP server on Port 465.
And set Authentication to either SSL/TLS or STARTTLS with Normal Password



Actual results:

Logs show that authentication/connection is occuring in PLAIN text and username and password are exposed.

See attached log files, using SSL/TLS Authentication setting.


Expected results:

I have an expectation that when I set Authentication to use SSL/TLS or STARTTLS that this will occur securely and not in plain text.

There should be either 
(1) no fallback allowed to PLAIN text authentication when SSL/TLS or STARTTLS are choosen, or
(2) there should be an option with prompt asking to confirm whether or not to continue with PLAIN text authentication when secure authentication fails.
Flags: needinfo?(mkmelin+mozilla)

Sorry, you're confusing concepts. If you're using TLS the connection is secure. The authentication mechanism can then very well be "plain" without any loss of security: the outer layer is already securing you.

Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Flags: needinfo?(mkmelin+mozilla)
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.