Bug 162991

Summary: Account creation wizard does not prompt for SSL configuration
Product: Red Hat Enterprise Linux 4 Reporter: Chris Snook <csnook>
Component: thunderbirdAssignee: Christopher Aillon <caillon>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: https://bugzilla.mozilla.org/show_bug.cgi?id=221030
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-05-16 13:37:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Chris Snook 2005-07-12 00:35:06 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050524 Fedora/1.0.4-4 Firefox/1.0.4

Description of problem:
The Thunderbird account creation wizard does not ask the user if they would like to use SSL for the connection to the server.  Upon completion of the wizard, Thunderbird attempts to open the account on the server, and prompts the user for the password, which will then be sent in cleartext across the network.  This inadequacy can (and routinely does) trick even knowledgeable, security-conscious users into sending a password across the network unencrypted.

This has been discussed at great length (over multiple years) by Mozilla developers and users, but it doesn't seem to be a high development priority, even though there are already patches provided:

https://bugzilla.mozilla.org/show_bug.cgi?id=221030

Version-Release number of selected component (if applicable):
thunderbird-1.0.2-1.4.1

How reproducible:
Always

Steps to Reproduce:
1. Create IMAP (or POP or NNTP) account in Thunderbird
2. Watch Thunderbird prompt you for the password and send it in cleartext before you have the opportunity to configure SSL  

Actual Results:  I was not given the option to configure SSL, and I was asked for my password, which was submitted to the server unencrypted.

Expected Results:  The wizard should have permitted me to set SSL options prior to attempting to authenticate with the server.

Additional info:

This also occurs on Fedora Core 4.  Not sure if severity should be "security" or "enhancement".
Comment 1 Matěj Cepl 2007-05-16 13:36:25 UTC 
Long-time discussed upstream bug is certainly a good candidate for being closed
as CLOSE/UPSTREAM (see
https://bugzilla.redhat.com/bugzilla/page.cgi?id=fields.html#upstream for more
explanation what this state means).