"Force encryption" changed by "Use encryption if available" after XMPP wizard

RESOLVED FIXED in Thunderbird 34.0

Status

Thunderbird
Instant Messaging
RESOLVED FIXED
4 years ago
3 years ago

People

(Reporter: mozilla, Assigned: clokep)

Tracking

28 Branch
Thunderbird 34.0
x86_64
Windows 8.1

Thunderbird Tracking Flags

(thunderbird32 fixed, thunderbird33 fixed, thunderbird34 fixed, thunderbird_esr3132+ fixed)

Details

Attachments

(1 attachment)

(Reporter)

Description

4 years ago
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 (Beta/Release)
Build ID: 20131213040203

Steps to reproduce:

1. Open the Accounts list
2 Add account
3. Choose XMPP
4. During the wizard, choose "Require encryption" (in french something like : force encryption)


Actual results:

"Force encryption" has been replaced by "Use encryption if available".

If you choose "Force encryption" it will be kept this time.
Only the XMPP wizard does not take this choice and always put "Use encryption if available"
I could reproduce this on Thunderbird, but not on Instantbird (even after enabling JS-XMPP).
Status: UNCONFIRMED → NEW
Ever confirmed: true

Comment 2

3 years ago
Confirming this bug in TB 31.

This looks like a security risk.

How can TB automatically *lower* a security setting that the user actively set to high, potentially exposing login passwords to a man-in-the-middle?

And nobody replies to this for over 8 months?

Please CC somebody who has worked on this feature so that we can get this fixed, and if this bugzilla allows it, please add a security tag.
(In reply to Florian Quèze [:florian] [:flo] from comment #1)
> I could reproduce this on Thunderbird, but not on Instantbird

Because it's already been debugged and fixed for Instantbird in bug 955079.

The fix is trivial, it's just something we forgot to port to Thunderbird :-(.
(Assignee)

Comment 4

3 years ago
Created attachment 8474222 [details] [diff] [review]
Ported patch v1

We should ask to uplift this to the TB 31 branch.
Assignee: nobody → clokep
Status: NEW → ASSIGNED
Attachment #8474222 - Flags: review?(florian)
(Assignee)

Comment 5

3 years ago
(In reply to mail from comment #2)
> How can TB automatically *lower* a security setting that the user actively
> set to high, potentially exposing login passwords to a man-in-the-middle?
Please note that this wasn't done *on purpose* by any means. It's a bug, please don't attribute malice to this. Programmers are people too, they overlook things when writing code.

> And nobody replies to this for over 8 months?
Things fall off our radar, thanks for bringing it back to our attention! As you see, I've attached a fix for this.
Attachment #8474222 - Flags: review?(florian) → review+
(Assignee)

Updated

3 years ago
Keywords: checkin-needed
status-thunderbird31: --- → affected
status-thunderbird32: --- → affected
status-thunderbird33: --- → affected
status-thunderbird34: --- → affected
status-thunderbird_esr31: --- → affected
tracking-thunderbird_esr31: --- → ?

Comment 6

3 years ago
(In reply to Patrick Cloke [:clokep] from comment #5)
> please don't attribute malice to this

Oh that wasn't my intention at all; it was just the combination of it being an obvious bug, security related and reported a long time ago that turned me surprised about this having received no reply at all.

Thanks for the swift response after my comment!
https://hg.mozilla.org/comm-central/rev/e8a8ea884634
Status: ASSIGNED → RESOLVED
Last Resolved: 3 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: --- → Thunderbird 34.0
status-thunderbird34: affected → ---
tracking-thunderbird_esr31: ? → 32+
Comment on attachment 8474222 [details] [diff] [review]
Ported patch v1

[Triage Comment]
Will take onto aurora straight away due to current trunk issues, will do beta/esr in a day or so.
Attachment #8474222 - Flags: approval-comm-esr31?
Attachment #8474222 - Flags: approval-comm-beta?
Attachment #8474222 - Flags: approval-comm-aurora+
Attachment #8474222 - Flags: approval-comm-esr31?
Attachment #8474222 - Flags: approval-comm-esr31+
Attachment #8474222 - Flags: approval-comm-beta?
Attachment #8474222 - Flags: approval-comm-beta+
https://hg.mozilla.org/releases/comm-aurora/rev/3655132711fc
status-thunderbird33: affected → fixed
https://hg.mozilla.org/releases/comm-beta/rev/8119bbfaa8f3
status-thunderbird32: affected → fixed
https://hg.mozilla.org/releases/comm-esr31/rev/ed3d74556608
status-thunderbird31: affected → ---
status-thunderbird_esr31: affected → fixed
status-thunderbird34: --- → fixed
You need to log in before you can comment on or make changes to this bug.