Closed
Bug 1470863
Opened 6 years ago
Closed 4 months ago
autoconfig using https
Categories
(Thunderbird :: Account Manager, defect)
Thunderbird
Account Manager
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: dpa-mozilla, Unassigned)
References
Details
(Whiteboard: [dupme])
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Safari/605.1.15 Epiphany/605.1.15
Steps to reproduce:
According to https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration when a new email xyz@example.org is set up, Thunderbird queries the addresses
http://autoconfig.example.org/mail/config-v1.1.xml?emailaddress=fred@example.org and
http://example.org/.well-known/autoconfig/mail/config-v1.1.xml
1) When the email address is passed, teach Thunderbird to use HTTPS
2) Consider for the second link mentioning, that the email address is not passed as parameter
3) Consider for the second link switching also to HTTPs
Updated•6 years ago
|
Component: Untriaged → Account Manager
Summary: autoconfig → autoconfig using https
Whiteboard: [dupme]
Reporter | ||
Comment 1•6 years ago
|
||
Experiments with TB52.8 show, that despite the documentation states that http://example.com/.well-known/autoconfig/mail/config-v1.1.xml is called without the email address, TB is consistent and calls http://example.com/.well-known/autoconfig/mail/config-v1.1.xml?emailaddress=fred@example.com .
I will take care on the second bullet above.
I change the list above:
3) When http://example.com/.well-known/autoconfig/mail/config-v1.1.xml?emailaddress=fred@example.com is called, teach Thunderbird to insist on using HTTPS.
4) Update both https://wiki.mozilla.org/Thunderbird:Autoconfiguration and https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration to state explicitly that only HTTPS is used for the autoconfiguration with server on ISP.
Updated•2 years ago
|
Severity: normal → S3
Comment 3•2 years ago
|
||
(In reply to Jorg K (CEST = GMT+2) from comment #2)
Related to bug 971347?
Reporter, do you consider this to be solved?
Flags: needinfo?(dpa-mozilla)
Reporter | ||
Comment 4•2 years ago
|
||
To my knowledge the practice to fetch autoconfig-URLs over insecure HTTP is still applied. https://wiki.mozilla.org/Thunderbird:Autoconfiguration contains “as well as fallback http://example.com/.well-known/autoconfig/mail/config-v1.1.xml, and see whether that host/URL exists. ” without including the email address of the account in the example.com-call. So it is not solved.
Flags: needinfo?(dpa-mozilla)
Comment 5•4 months ago
•
|
||
- The http version is necessary. If we remove HTTP, around 80-90% of the ISP configs will fail. (This is based on real-world test.)
- DNS SRV (bug 342242) is a standard and is even less secure than HTTP. (UDP is easier to hijack than TCP.)
- The attacker would have to exactly time the attack for the moment when the user sets up the account.
- No successful real-world attack has ever been known.
- Autoconfig is extremely useful for end users, and has been dramatically successful. Killing its effectiveness is a disservice to user.
- The user has to explicitly approve the config we find. We show the domain clearly in bold. This is a deliberate measure as a last stop-gap for the theoretical case that there might be an attacker.
WONTFIX. Not a good idea.
(Please first ask to IETF deprecate DNS SRV standard and let IETF say that DNS SRV should not be used anymore, without DNSSEC. Once you're successful with that and that happened, we can re-consider this issue.)
Status: UNCONFIRMED → RESOLVED
Closed: 4 months ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•