implement LOGINDISABLED and STARTTLS CAPABILITY (plaintext password sent over wire)

VERIFIED DUPLICATE of bug 205944

Status

VERIFIED DUPLICATE of bug 205944
15 years ago
10 years ago

People

(Reporter: metze, Assigned: Bienvenu)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

15 years ago
User-Agent:       Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624

Mozilla didn't implement the IMAPv4rev1 LOGINDISABLED and STARTTLS CAPABILITY 
right.
it send's the plain password over the wire, even if the server send a 
LOGINDISABLED CAPABILITY.

Reproducible: Always

Steps to Reproduce:
1. Use a IMAP server that support STARTTLS and LOGINDISABLED
2. Use Mozilla to fetch mail from this server
3. And use a network sniffer to find out the password

Actual Results:  
the password is unencrypted on the wire...

Expected Results:  
-call the CAPABILITY command, or read them from the server's greeting message 
to see what feature's the server support.

-Don't send the LOGIN command, instead use the STARTTLS or AUTHENTICATE command 
to setup up a TLS session or an other security layer to protect the password 
and data of the IMAP session on the wire.
David, could you look at this. Have we done this wrong? is it simply an
unsupported feature?
(Assignee)

Comment 2

15 years ago
it's an unsupported feature. We do support PREAUTH, which is similar...
Status: UNCONFIRMED → NEW
Ever confirmed: true
This capability isn't mentioned in rfc 2060 but is in the replacement rfc 3501
(March 2003) as a "MUST implement".

Even if we don't support TLS, detecting LOGINDISABLED and failing might be
better than sending the password in plaintext. Users of such servers may need to
get a different client, but if they're in an environment where plaintext
passwords are dangerous I'm sure they'd prefer to do that.
Summary: IMAPv4rev1 LOGINDISABLED and STARTTLS CAPABILITY is ignored my mozilla and the plaintext password is send over the wire → implement LOGINDISABLED and STARTTLS CAPABILITY (plaintext password sent over wire)
Whiteboard: [sg:fix]

Comment 4

15 years ago
> Users of such servers may need to get a different client, but if
> they're in an environment where plaintext passwords are dangerous
> I'm sure they'd prefer to do that.

I agree Mozilla should implement both capabilities ASAP since they're MUST in
RFC 3501. We've already bug 60377 for STARTTLS in IMAP.

But there's no need for a user to wait for LOGINDISABLED or change the client to
be sure the credentials are transmitted as plaintext.
Just check "Use secure authentication" in the server settings and PLAIN and
LOGIN aren't used.

Comment 5

14 years ago
Should this bug really have the security bit set?
The issues aren't neither new nor unique, see bug 60377 for STARTTLS and bug
205944 for LOGINDISABLED..

*** This bug has been marked as a duplicate of 205944 ***
Group: security
Status: NEW → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:fix]
*** Bug 263823 has been marked as a duplicate of this bug. ***

Updated

14 years ago
Status: RESOLVED → VERIFIED
Product: MailNews → Core
Product: Core → MailNews Core
You need to log in before you can comment on or make changes to this bug.