Closed Bug 950335 Opened 10 years ago Closed 10 years ago

"Force encryption" changed by "Use encryption if available" after XMPP wizard

Categories

(Thunderbird :: Instant Messaging, defect)

28 Branch
x86_64
Windows 8.1
defect
Not set
normal

Tracking

(thunderbird32 fixed, thunderbird33 fixed, thunderbird34 fixed, thunderbird_esr3132+ fixed)

RESOLVED FIXED
Thunderbird 34.0
Tracking Status
thunderbird32 --- fixed
thunderbird33 --- fixed
thunderbird34 --- fixed
thunderbird_esr31 32+ fixed

People

(Reporter: mozilla, Assigned: clokep)

Details

Attachments

(1 file)

User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 (Beta/Release)
Build ID: 20131213040203

Steps to reproduce:

1. Open the Accounts list
2 Add account
3. Choose XMPP
4. During the wizard, choose "Require encryption" (in french something like : force encryption)


Actual results:

"Force encryption" has been replaced by "Use encryption if available".

If you choose "Force encryption" it will be kept this time.
Only the XMPP wizard does not take this choice and always put "Use encryption if available"
I could reproduce this on Thunderbird, but not on Instantbird (even after enabling JS-XMPP).
Status: UNCONFIRMED → NEW
Ever confirmed: true
Confirming this bug in TB 31.

This looks like a security risk.

How can TB automatically *lower* a security setting that the user actively set to high, potentially exposing login passwords to a man-in-the-middle?

And nobody replies to this for over 8 months?

Please CC somebody who has worked on this feature so that we can get this fixed, and if this bugzilla allows it, please add a security tag.
(In reply to Florian Quèze [:florian] [:flo] from comment #1)
> I could reproduce this on Thunderbird, but not on Instantbird

Because it's already been debugged and fixed for Instantbird in bug 955079.

The fix is trivial, it's just something we forgot to port to Thunderbird :-(.
Attached patch Ported patch v1Splinter Review
We should ask to uplift this to the TB 31 branch.
Assignee: nobody → clokep
Status: NEW → ASSIGNED
Attachment #8474222 - Flags: review?(florian)
(In reply to mail from comment #2)
> How can TB automatically *lower* a security setting that the user actively
> set to high, potentially exposing login passwords to a man-in-the-middle?
Please note that this wasn't done *on purpose* by any means. It's a bug, please don't attribute malice to this. Programmers are people too, they overlook things when writing code.

> And nobody replies to this for over 8 months?
Things fall off our radar, thanks for bringing it back to our attention! As you see, I've attached a fix for this.
Attachment #8474222 - Flags: review?(florian) → review+
Keywords: checkin-needed
(In reply to Patrick Cloke [:clokep] from comment #5)
> please don't attribute malice to this

Oh that wasn't my intention at all; it was just the combination of it being an obvious bug, security related and reported a long time ago that turned me surprised about this having received no reply at all.

Thanks for the swift response after my comment!
https://hg.mozilla.org/comm-central/rev/e8a8ea884634
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: --- → Thunderbird 34.0
Comment on attachment 8474222 [details] [diff] [review]
Ported patch v1

[Triage Comment]
Will take onto aurora straight away due to current trunk issues, will do beta/esr in a day or so.
Attachment #8474222 - Flags: approval-comm-esr31?
Attachment #8474222 - Flags: approval-comm-beta?
Attachment #8474222 - Flags: approval-comm-aurora+
Attachment #8474222 - Flags: approval-comm-esr31?
Attachment #8474222 - Flags: approval-comm-esr31+
Attachment #8474222 - Flags: approval-comm-beta?
Attachment #8474222 - Flags: approval-comm-beta+
You need to log in before you can comment on or make changes to this bug.