User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Mozilla didn't implement the IMAPv4rev1 LOGINDISABLED and STARTTLS CAPABILITY right. it send's the plain password over the wire, even if the server send a LOGINDISABLED CAPABILITY. Reproducible: Always Steps to Reproduce: 1. Use a IMAP server that support STARTTLS and LOGINDISABLED 2. Use Mozilla to fetch mail from this server 3. And use a network sniffer to find out the password Actual Results: the password is unencrypted on the wire... Expected Results: -call the CAPABILITY command, or read them from the server's greeting message to see what feature's the server support. -Don't send the LOGIN command, instead use the STARTTLS or AUTHENTICATE command to setup up a TLS session or an other security layer to protect the password and data of the IMAP session on the wire.
David, could you look at this. Have we done this wrong? is it simply an unsupported feature?
it's an unsupported feature. We do support PREAUTH, which is similar...
Status: UNCONFIRMED → NEW
Ever confirmed: true
This capability isn't mentioned in rfc 2060 but is in the replacement rfc 3501 (March 2003) as a "MUST implement". Even if we don't support TLS, detecting LOGINDISABLED and failing might be better than sending the password in plaintext. Users of such servers may need to get a different client, but if they're in an environment where plaintext passwords are dangerous I'm sure they'd prefer to do that.
Summary: IMAPv4rev1 LOGINDISABLED and STARTTLS CAPABILITY is ignored my mozilla and the plaintext password is send over the wire → implement LOGINDISABLED and STARTTLS CAPABILITY (plaintext password sent over wire)
> Users of such servers may need to get a different client, but if > they're in an environment where plaintext passwords are dangerous > I'm sure they'd prefer to do that. I agree Mozilla should implement both capabilities ASAP since they're MUST in RFC 3501. We've already bug 60377 for STARTTLS in IMAP. But there's no need for a user to wait for LOGINDISABLED or change the client to be sure the credentials are transmitted as plaintext. Just check "Use secure authentication" in the server settings and PLAIN and LOGIN aren't used.
Should this bug really have the security bit set? The issues aren't neither new nor unique, see bug 60377 for STARTTLS and bug 205944 for LOGINDISABLED..
*** This bug has been marked as a duplicate of 205944 ***
Status: NEW → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → DUPLICATE
*** Bug 263823 has been marked as a duplicate of this bug. ***
You need to log in before you can comment on or make changes to this bug.