Open Bug 1603685 Opened 6 years ago Updated 3 years ago

Certificate is requested by mail server

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Type:
defect

Tracking

(Not tracked)

Status:
UNCONFIRMED

People

(Reporter: jumpsq, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3831.6 Safari/537.36

Steps to reproduce:

Have a S/MIME certificate
Have an account with e.g. yahoo.com

Actual results:

When connection with the yahoo account, a user identification request is issued. The S/MIME certificate (that is not related to this account) is presented. One can only click "OK" or "Cancel". The decision is never remembered when not clicking "OK".

Expected results:

The decision not to provide any certificate should be remembered when checking "Remember this decision". Alternatively, the choice for not sending a certificate should be explicitly clickable.
As this is implemented right now, it is easy to accidentally send a certificate for identification to a strangers' mail server. This can lead to privacy impacts and I generally disregard this as a good practice.

Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.