[autoconfig] cleartext email address transmission

RESOLVED FIXED in Thunderbird 30.0

Status

defect
RESOLVED FIXED
8 years ago
5 years ago

People

(Reporter: tagnaq, Assigned: BenB)

Tracking

(Blocks 1 bug)

Thunderbird 30.0

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment, 1 obsolete attachment)

(Reporter)

Description

8 years ago
When configuring a new email account in the Account Manager, Thunderbird transmits the email address in the GET parameter "emailaddress" to autoconfig.example.com and example.com in cleartext, hence the user discloses
its email address to the LAN and everyone on the way to the destination.

http://autoconfig.example.com/mail/config-v1.1.xml?emailaddress=user%40example.com

http://example.com/.well-known/autoconfig/mail/config-v1.1.xml?emailaddress=user%40example.com

Not every user is fine with this disclosure, especially if users would like to preserve their privacy in hostile networks.
Please provide a way to opt-out. 

workaround:
provide random email address and configure manually afterwards

Steps to reproduce:
1. Add a new mail account
2. provide name and email
3. watch for http requests on the network (wireshark)


https://developer.mozilla.org/en/Thunderbird/Autoconfiguration
(Reporter)

Updated

8 years ago
Status: UNCONFIRMED → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 664633
(Assignee)

Comment 2

5 years ago
Not a dup. This bug specifically asks for an opt-out setting (presumably via about:config), which is a reasonable request. I support this RFE.
Status: RESOLVED → REOPENED
Ever confirmed: true
Resolution: DUPLICATE → ---
(Assignee)

Comment 3

5 years ago
This needed by TorBirdy.
Assignee: nobody → ben.bucksch
(Assignee)

Updated

5 years ago
Status: REOPENED → ASSIGNED
(Assignee)

Comment 4

5 years ago
Attachment #8372510 - Flags: review?(bwinton)
(Assignee)

Comment 5

5 years ago
This additional pref allows to keep ISP configs enabled, but disable the transmission of the email address, which many ISPs don't need. Those that do can fail (HTTP 400) and we can continue.

The third pref allows to disable the guess config.
Attachment #8372510 - Attachment is obsolete: true
Attachment #8372510 - Flags: review?(bwinton)
(Assignee)

Comment 6

5 years ago
Policy:
tagnaq, is only the email address a problem or the mere request via HTTP?
Please note that the identity of the ISP leaks in any case: When you look up imap.yourisp.com, everybody on your network knows you use yourisp. So, from a privacy perspective, the ISP lookup without email address should be OK.
That said, it should be possible to disable that request entirely, because it comes in via HTTP, which is a problem for authenticity (not just privacy), while the ISPDB lookups happen via HTTPS.
(Assignee)

Updated

5 years ago
Attachment #8372645 - Flags: review?(bwinton)
Comment on attachment 8372645 [details] [diff] [review]
Prefs to disable ISP fetch, email address transmission, and guess config

Review of attachment 8372645 [details] [diff] [review]:
-----------------------------------------------------------------

::: mailnews/base/prefs/content/accountcreation/fetchConfig.js
@@ +73,5 @@
> +  var urlArgs = { emailaddress: emailAddress };
> +  if (!Services.prefs.getBoolPref(
> +      "mailnews.auto_config.fetchFromISP.emailAddressEnabled")) {
> +    delete urlArgs.emailaddress;
> +  }  

traling space. 
The pref name is inconsistent with the others (which are .enabled)
(Assignee)

Comment 9

5 years ago
> The pref name is inconsistent with the others (which are .enabled)

fetchFromISP is a component. enabled and emailAddressEnabled are prefs to control it. emailAddress is not a logical entity for prefs hierarchy.

(If you want to be nit-picking, I'm more bothered about the _ in "mailnews.auto_config_url". It should be "mailnews.autoConfig.url")
(Reporter)

Comment 10

5 years ago
Hi ben,

thanks for your help!

(In reply to Ben Bucksch (:BenB) from comment #6)
> Policy:
> tagnaq, is only the email address a problem or the mere request via HTTP?

The mere request (actually its response) is a "problem" (or just not useful if you don't trust configs fetched via plain HTTP).

So a 'forceHTTPS' pref would be of use in the TorBirdy context. In that case we don't mind submitting the email address.

If there will be no such thing as 'forceHTTPS' for the ISP fetch, then we are still happy to use 'fetchFromISP.enabled = false' to skip the insecure HTTP fetch - while still using Mozilla's ISPDB.

btw: I also commented on your trac entry, but I guess we should continue here until something got merged.
(Assignee)

Comment 11

5 years ago
bwinton, can I have a review, please? I need this commited before I can work on bug 917347, because they'll conflict on a code level.
(Assignee)

Updated

5 years ago
Blocks: 664633
Comment on attachment 8372645 [details] [diff] [review]
Prefs to disable ISP fetch, email address transmission, and guess config

Review of attachment 8372645 [details] [diff] [review]:
-----------------------------------------------------------------

The code seems fine to me.  I am (as ever) disappointed with the lack of tests.
As long as this passes all our existing tests, and you fix the nits Magnus mentioned, r=me.
Attachment #8372645 - Flags: review?(bwinton) → review+
(Assignee)

Comment 14

5 years ago
Test result:
https://tbpl.mozilla.org/php/getParsedLog.php?id=34578575&tree=Thunderbird-Try#error0
The errors are spurious, because https://tbpl.mozilla.org/?tree=Thunderbird-Try&rev=2b346bf250f2 got the same errors
So, that's test PASS I guess.
(Assignee)

Comment 15

5 years ago
Commited as https://hg.mozilla.org/comm-central/rev/12401af31c63

FIXED
Status: ASSIGNED → RESOLVED
Last Resolved: 8 years ago5 years ago
Resolution: --- → FIXED
(Assignee)

Comment 16

5 years ago
(FWIW, I found the perfect color of the bikeshed: sendEmailAddress instead of emailAddressEnabled. Satisfies both mine and mkmelin's logic.)

The new prefs are:

// Allow to contact ISP (email address domain)
// This happens via insecure means (HTTP), so the config cannot be trusted,
// and also contains the email address
pref("mailnews.auto_config.fetchFromISP.enabled", true);
// Allow the fetch from ISP via HTTP, but not the email address
pref("mailnews.auto_config.fetchFromISP.sendEmailAddress", true);
pref("mailnews.auto_config.guess.enabled", true);

Comment 17

5 years ago
(In reply to Ben Bucksch (:BenB) from comment #11)
> bwinton, can I have a review, please? I need this commited before I can work
> on bug 917347, because they'll conflict on a code level.

Is the bug number right? That bug does not seem related in any way.
Target Milestone: --- → Thunderbird 30.0
(Assignee)

Comment 18

5 years ago
aceman, that was a typo. Correct is: bug 971347.
You need to log in before you can comment on or make changes to this bug.