Open
Bug 351742
Opened 19 years ago
Updated 3 years ago
Need iMIP security mechanism for iMIP bar, should implement security as described in RFC 2447
Categories
(Calendar :: E-mail based Scheduling (iTIP/iMIP), defect)
Calendar
E-mail based Scheduling (iTIP/iMIP)
Tracking
(Not tracked)
NEW
People
(Reporter: cmtalbert, Unassigned)
References
()
Details
(Keywords: sec-want, Whiteboard: [sg:want spoof])
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6
Build Identifier: Lightning BuildID 2006082320 Thunderbird version 3 alpha 1 20060811
RFC 2447 describes five different issues that must be addressed before an iMIP message can be processed. Due to the fact that the spec may change, I suggest you look there for clarification on what they are. They are in section 3.
Since most of these issues address spoofing attacks, they should be addressed in the same manner as other types of spoofing (or phishing) is addressed in Thunderbird. So, we would expect the iMIP bar to change and inform the user "This invitation doesn't look quite right", and it should have a button to clear that warning if the user decides that the invite is OK.
Reproducible: Always
Steps to Reproduce:
Hack a signed email to reproduce each of the security scenarios as detailed in RFC 2447.
Actual Results:
Lightning treats the corrupted invite in the same way that it does any other invite.
Expected Results:
Lightning should notify the user that something looks suspicious in the invite.
|
||
Comment 1•18 years ago
|
||
At the risk of suggesting the obvious, I would like Thunderbird's security checks (e.g. Scams / Junk Mail) to take precedence over Lightning's iMIP security checks.
(In reply to comment #1)
> At the risk of suggesting the obvious, I would like Thunderbird's security
> checks (e.g. Scams / Junk Mail) to take precedence over Lightning's iMIP
> security checks.
>
Yes, these are separate. The Thunderbird security checks and the UI for that is entirely separate from the iMIP bar UI. If an email gets flagged as Junk/Scam etc, that notification will appear above the iMIP bar. You can see this today by manually telling Thunderbird that a particular invitation is junk. And yes, those checks would take precedence over the iMIP security issues as well.
|
||
Updated•18 years ago
|
Flags: wanted-calendar0.8?
|
||
Comment 3•18 years ago
|
||
It would be good to have this in 0.8
Flags: wanted-calendar0.8? → wanted-calendar0.8+
|
||
Updated•18 years ago
|
|
|
||
Comment 4•18 years ago
|
||
Not going to happen for 0.8.
Flags: wanted-calendar0.8+ → wanted-calendar0.8-
|
||
Updated•18 years ago
|
Component: Internal Components → Lightning Only
QA Contact: base → lightning
|
|
||
Updated•17 years ago
|
Component: Lightning Only → E-mail based Scheduling (iTIP/iMIP)
QA Contact: lightning → email-scheduling
|
||
Updated•17 years ago
|
Whiteboard: [sg:want spoof]
|
|
||
Comment 6•7 years ago
|
||
Seems like a valid Calendar/Thunderbird sec-want item. Better question for the thunderbird council.
Flags: needinfo?(dveditz)
|
||
Comment 7•7 years ago
|
||
We definitely should investigate this, but given there has been no activity in 12 years and there isn't a pressing need, feel free to remove your flags as appropriate so it doesn't keep showing up in your queries.
|
||
Updated•3 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•