TLS authentication should NOT allow PLAIN text authentication as fallback

UNCONFIRMED
Unassigned

Status

UNCONFIRMED
9 months ago
9 months ago

People

(Reporter: jeff, Unassigned)

Tracking

52 Branch

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

9 months ago
Created attachment 8984505 [details]
POP3_SMTP_log.txt

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0
Build ID: 20180605171542

Steps to reproduce:

Using v52.8.0 (32-bit) of Thunderbird

Setup mail account using both POP3 server on Port 995 and SMTP server on Port 465.
And set Authentication to either SSL/TLS or STARTTLS with Normal Password



Actual results:

Logs show that authentication/connection is occuring in PLAIN text and username and password are exposed.

See attached log files, using SSL/TLS Authentication setting.


Expected results:

I have an expectation that when I set Authentication to use SSL/TLS or STARTTLS that this will occur securely and not in plain text.

There should be either 
(1) no fallback allowed to PLAIN text authentication when SSL/TLS or STARTTLS are choosen, or
(2) there should be an option with prompt asking to confirm whether or not to continue with PLAIN text authentication when secure authentication fails.
You need to log in before you can comment on or make changes to this bug.