Closed Bug 1467835 Opened 5 years ago Closed 2 years ago
TLS authentication should NOT allow PLAIN text authentication as fallback
(Thunderbird :: Security, defect)
(Reporter: jeff, Unassigned)
13.73 KB, text/plain
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0 Build ID: 20180605171542 Steps to reproduce: Using v52.8.0 (32-bit) of Thunderbird Setup mail account using both POP3 server on Port 995 and SMTP server on Port 465. And set Authentication to either SSL/TLS or STARTTLS with Normal Password Actual results: Logs show that authentication/connection is occuring in PLAIN text and username and password are exposed. See attached log files, using SSL/TLS Authentication setting. Expected results: I have an expectation that when I set Authentication to use SSL/TLS or STARTTLS that this will occur securely and not in plain text. There should be either (1) no fallback allowed to PLAIN text authentication when SSL/TLS or STARTTLS are choosen, or (2) there should be an option with prompt asking to confirm whether or not to continue with PLAIN text authentication when secure authentication fails.
2 years ago
2 years ago
Sorry, you're confusing concepts. If you're using TLS the connection is secure. The authentication mechanism can then very well be "plain" without any loss of security: the outer layer is already securing you.
Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.