Closed Bug 1900181 Opened 1 year ago Closed 1 year ago

Plain default when mail autoconfiguration fails

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Version:
Thunderbird 115
Platform:
Other
Linux
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: beardwen, Unassigned, NeedInfo)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36

Steps to reproduce:

For any email address for which configuration information is not available through the email autoconfiguration mechanism provided by Thunderbird (including FetchConfig.sys.mjs, ExchangeAutoDiscover.sys.mjs, and GuessConfig.sys.mjs).

Actual results:

Thunderbird will set the connection type in plain by default.

Expected results:

Although Thunderbird requires the user to enter the mail server hostname and port manually, a more conservative implementation that takes into account users who know nothing about computer security should provide the encrypted connection type by default in all cases.

Group: mail-core-security

The Bugbug bot thinks this bug is invalid.
If you think the bot is wrong, please reopen the bug and move it back to its prior component.
If your bug description is written in a non-English language, please use Google Translate or a similar service to translate it.

Please note that this is a production bug database used by the Mozilla community to develop Firefox, Thunderbird and other products.
Filing test bugs here will waste the time of our contributors, volunteers and employees.
Accounts that abuse bugzilla.mozilla.org will be disabled.

Status: UNCONFIRMED → RESOLVED
Closed: 1 year ago
Component: Security → General
Product: Thunderbird → Invalid Bugs
Resolution: --- → INVALID
Status: RESOLVED → UNCONFIRMED
Component: General → Security
OS: Unspecified → Linux
Product: Invalid Bugs → Thunderbird
Hardware: Unspecified → Other
Resolution: INVALID → ---
Summary: Plain default when mail account autoconfiguration fails → Plain default when mail autoconfiguration fails
Version: unspecified → Thunderbird 115

It changes automatically based on port. So if you enter port 993, it will choose SSL/TLS and so on...

Status: UNCONFIRMED → RESOLVED
Closed: 1 year ago1 year ago
Resolution: --- → WORKSFORME

(In reply to Magnus Melin [:mkmelin] from comment #2)

It changes automatically based on port. So if you enter port 993, it will choose SSL/TLS and so on...

But what happens if the user enters port 143? Thunderbird will use the plaintext connection type (i.e., none) by default and does not automatically switch to STARTTLS. Considering that we can't expect users to be computer security conscious, a conservative implementation would be not to use the plaintext connection type in any case.

Reporter, do you say:

  • you manually configure a server account in thunderbird
  • you set port to 143
  • the server supports starttls
  • thunderbird does not try starttls, but only uses plaintext connection
    ?

If that's true, I'd agree to reopen the bug.

Flags: needinfo?(beardwen)

(In reply to Kai Engert (:KaiE:) from comment #4)

Reporter, do you say:

  • you manually configure a server account in thunderbird
  • you set port to 143
  • the server supports starttls
  • thunderbird does not try starttls, but only uses plaintext connection
    ?

If that's true, I'd agree to reopen the bug.

Yes. You can reproduce this in Thunderbird.

Flags: needinfo?(beardwen)

beardwen, does this reproduce in version 140?

If so, please obtain a protocol log https://wiki.mozilla.org/MailNews:Logging

Flags: needinfo?(beardwen)
You need to log in before you can comment on or make changes to this bug.