Closed Bug 297278 Opened 19 years ago Closed 15 years ago

Thunderbird should warn before sending passwords over plaintext protocols

Categories

(Thunderbird :: Security, enhancement)

Product:
Thunderbird
Component:
Security
Platform:
x86
Linux
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 259982

People

(Reporter: bugreports2005, Unassigned)

References

Details

(Keywords: privacy) 

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050515 Firefox/1.0.4
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050515 Firefox/1.0.4

Using the account generation wizard in Thunderbird with the wizard does not
allow the choise of SSL with IMAP. After account generation it tries to log in,
and innocently asks for a password to be sent over the net on the clear. I have
compromised two passwords this way now, and a third one by a mistake in outgoing
SMTP configuration. To make matters worse, each compromise occurred on an easily
snoopable WLAN.

A part of a fix would be to allow the account generation wizard to activate SSL,
which I noticed is being discussed already. However, it will not shield against
mistakes in configuration.

I think the correct behaviour for Thunderbird would be to display a warning
whenever a a password is about to be sent over the net on the clear. Not much
unlike Firefox, which displays such a warning whenever something is being sent
on the clear.


Reproducible: Always
Duplicate of/related to bug 221030?
(In reply to comment #1)
> Duplicate of/related to bug 221030?

Related to, yes. Duplicate of, no. 221030 just makes it worse.

A warning would, in my opinion, be appropriate whenever sending cleartext
passwords, wether the wizard allows the initial setup of SSL or not. These
innocent-looking password requests have burned me thrice already.
With the proliferation of WiFi hotspot access this is a very good idea. It could
be set up like the Firefox unencrypted submit warning: warn the first time (per
account) then go silent unless the user checks the box. The latter is to prevent
it from getting too annoying since so many places don't support encrypted mail
servers, nor is it really necessary for people with direct dial-up connections
to their ISP's mail server. But the one-time warning will raise awareness, and
perhaps get more people to think about the issue and put pressure on ISP's who
don't support SSL.
Assignee: dveditz → mscott
Severity: normal → enhancement
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: privacy
Summary: Thunderbird should warn before compromising passwords → Thunderbird should warn before sending passwords over plaintext protocols
*** Bug 308261 has been marked as a duplicate of this bug. ***
(In reply to comment #3)
> It could be set up like the Firefox unencrypted submit warning: warn the
> first time (per account) then go silent unless the user checks the box.

This would be exactly what I'd like to see.
Assignee: mscott → nobody
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.