Open Bug 1467835 Opened 3 years ago
TLS authentication should NOT allow PLAIN text authentication as fallback
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0 Build ID: 20180605171542 Steps to reproduce: Using v52.8.0 (32-bit) of Thunderbird Setup mail account using both POP3 server on Port 995 and SMTP server on Port 465. And set Authentication to either SSL/TLS or STARTTLS with Normal Password Actual results: Logs show that authentication/connection is occuring in PLAIN text and username and password are exposed. See attached log files, using SSL/TLS Authentication setting. Expected results: I have an expectation that when I set Authentication to use SSL/TLS or STARTTLS that this will occur securely and not in plain text. There should be either (1) no fallback allowed to PLAIN text authentication when SSL/TLS or STARTTLS are choosen, or (2) there should be an option with prompt asking to confirm whether or not to continue with PLAIN text authentication when secure authentication fails.
You need to log in before you can comment on or make changes to this bug.