Closed Bug 1470863 Opened 6 years ago Closed 4 months ago

autoconfig using https

Categories

(Thunderbird :: Account Manager, defect)

Product:
Thunderbird
Component:
Account Manager
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: dpa-mozilla, Unassigned)

References

Details

(Whiteboard: [dupme])

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Safari/605.1.15 Epiphany/605.1.15 Steps to reproduce: According to https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration when a new email xyz@example.org is set up, Thunderbird queries the addresses http://autoconfig.example.org/mail/config-v1.1.xml?emailaddress=fred@example.org and http://example.org/.well-known/autoconfig/mail/config-v1.1.xml 1) When the email address is passed, teach Thunderbird to use HTTPS 2) Consider for the second link mentioning, that the email address is not passed as parameter 3) Consider for the second link switching also to HTTPs
Component: Untriaged → Account Manager
Summary: autoconfig → autoconfig using https
Whiteboard: [dupme]
Experiments with TB52.8 show, that despite the documentation states that http://example.com/.well-known/autoconfig/mail/config-v1.1.xml is called without the email address, TB is consistent and calls http://example.com/.well-known/autoconfig/mail/config-v1.1.xml?emailaddress=fred@example.com . I will take care on the second bullet above. I change the list above: 3) When http://example.com/.well-known/autoconfig/mail/config-v1.1.xml?emailaddress=fred@example.com is called, teach Thunderbird to insist on using HTTPS. 4) Update both https://wiki.mozilla.org/Thunderbird:Autoconfiguration and https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration to state explicitly that only HTTPS is used for the autoconfiguration with server on ISP.
Related to bug 971347?
See Also: → 971347
Severity: normal → S3

(In reply to Jorg K (CEST = GMT+2) from comment #2)

Related to bug 971347?

Reporter, do you consider this to be solved?

Flags: needinfo?(dpa-mozilla)

To my knowledge the practice to fetch autoconfig-URLs over insecure HTTP is still applied. https://wiki.mozilla.org/Thunderbird:Autoconfiguration contains “as well as fallback http://example.com/.well-known/autoconfig/mail/config-v1.1.xml, and see whether that host/URL exists. ” without including the email address of the account in the example.com-call. So it is not solved.

Flags: needinfo?(dpa-mozilla)
  • The http version is necessary. If we remove HTTP, around 80-90% of the ISP configs will fail. (This is based on real-world test.)
  • DNS SRV (bug 342242) is a standard and is even less secure than HTTP. (UDP is easier to hijack than TCP.)
  • The attacker would have to exactly time the attack for the moment when the user sets up the account.
  • No successful real-world attack has ever been known.
  • Autoconfig is extremely useful for end users, and has been dramatically successful. Killing its effectiveness is a disservice to user.
  • The user has to explicitly approve the config we find. We show the domain clearly in bold. This is a deliberate measure as a last stop-gap for the theoretical case that there might be an attacker.

WONTFIX. Not a good idea.

(Please first ask to IETF deprecate DNS SRV standard and let IETF say that DNS SRV should not be used anymore, without DNSSEC. Once you're successful with that and that happened, we can re-consider this issue.)

Status: UNCONFIRMED → RESOLVED
Closed: 4 months ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.