User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 (Beta/Release) Build ID: 20131213040203 Steps to reproduce: 1. Open the Accounts list 2 Add account 3. Choose XMPP 4. During the wizard, choose "Require encryption" (in french something like : force encryption) Actual results: "Force encryption" has been replaced by "Use encryption if available". If you choose "Force encryption" it will be kept this time. Only the XMPP wizard does not take this choice and always put "Use encryption if available"
I could reproduce this on Thunderbird, but not on Instantbird (even after enabling JS-XMPP).
Status: UNCONFIRMED → NEW
Ever confirmed: true
Confirming this bug in TB 31. This looks like a security risk. How can TB automatically *lower* a security setting that the user actively set to high, potentially exposing login passwords to a man-in-the-middle? And nobody replies to this for over 8 months? Please CC somebody who has worked on this feature so that we can get this fixed, and if this bugzilla allows it, please add a security tag.
(In reply to Florian Quèze [:florian] [:flo] from comment #1) > I could reproduce this on Thunderbird, but not on Instantbird Because it's already been debugged and fixed for Instantbird in bug 955079. The fix is trivial, it's just something we forgot to port to Thunderbird :-(.
Created attachment 8474222 [details] [diff] [review] Ported patch v1 We should ask to uplift this to the TB 31 branch.
Assignee: nobody → clokep
Status: NEW → ASSIGNED
Attachment #8474222 - Flags: review?(florian)
(In reply to mail from comment #2) > How can TB automatically *lower* a security setting that the user actively > set to high, potentially exposing login passwords to a man-in-the-middle? Please note that this wasn't done *on purpose* by any means. It's a bug, please don't attribute malice to this. Programmers are people too, they overlook things when writing code. > And nobody replies to this for over 8 months? Things fall off our radar, thanks for bringing it back to our attention! As you see, I've attached a fix for this.
Attachment #8474222 - Flags: review?(florian) → review+
status-thunderbird31: --- → affected
status-thunderbird32: --- → affected
status-thunderbird33: --- → affected
status-thunderbird34: --- → affected
status-thunderbird_esr31: --- → affected
tracking-thunderbird_esr31: --- → ?
(In reply to Patrick Cloke [:clokep] from comment #5) > please don't attribute malice to this Oh that wasn't my intention at all; it was just the combination of it being an obvious bug, security related and reported a long time ago that turned me surprised about this having received no reply at all. Thanks for the swift response after my comment!
Status: ASSIGNED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → Thunderbird 34.0
status-thunderbird34: affected → ---
tracking-thunderbird_esr31: ? → 32+
Comment on attachment 8474222 [details] [diff] [review] Ported patch v1 [Triage Comment] Will take onto aurora straight away due to current trunk issues, will do beta/esr in a day or so.
status-thunderbird33: affected → fixed
status-thunderbird32: affected → fixed
status-thunderbird31: affected → ---
status-thunderbird_esr31: affected → fixed
You need to log in before you can comment on or make changes to this bug.