Bug 1477744 - Emacs movemail POP is insecure
Summary: Emacs movemail POP is insecure
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: emacs
Version: 26
Hardware: All
OS: All
unspecified
high
Target Milestone: ---
Assignee: Jan Synacek
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-08-02 19:10 UTC by Paul Eggert
Modified: 2017-08-04 08:47 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-03 06:47:11 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Paul Eggert 2017-08-02 19:10:09 UTC 
Description of problem:
The program /usr/libexec/emacs/25.2/*/movemail, shipped as part of Emacs in Fedora 26, supports only insecure (plaintext) POP. This is an obvious security problem.

Version-Release number of selected component (if applicable):
Emacs 25.2
Fedora 26

How reproducible:
Use Emacs to read your mail via POP. Your email will go over the network in the clear. Emacs movemail does not support encrypted transfer.

Additional info:
GNU Emacs 26 and later will address this issue by using GNU Mailutils if so configured. I suggest configuring Emacs 26 with './configure --with-mailutils', and installing GNU Mailutils as a prerequisite for Emacs.
Comment 1 Jan Synacek 2017-08-03 06:47:11 UTC 
Emacs 26 hasn't been released yet. Also, more importantly, GNU Mailutils is not packaged for Fedora.
Comment 2 Paul Eggert 2017-08-03 08:09:25 UTC 
(In reply to Jan Synacek from comment #1)
> Emacs 26 hasn't been released yet. Also, more importantly, GNU Mailutils is
> not packaged for Fedora.

Both of these things are true, and that is why I suggested configuring --with-mailutils as a long-term fix.

The security hole is an immediate problem, though. I suggest configuring Emacs --without-pop right away: this should close the hole for all versions of Emacs being shipped by Fedora. The downside is that this withdraws POP3 support from Emacs, but the support is inherently insecure in a big way (plaintext email transfer!) and should not be used.
Comment 3 Jan Synacek 2017-08-03 08:25:09 UTC 
Well, I can do that, but that would also be a regression. I don't consider this too much of a problem, because if someone uses Emacs to retrieve email over POP, they surely know what they are doing.
Comment 4 Paul Eggert 2017-08-03 09:18:22 UTC 
(In reply to Jan Synacek from comment #3)
> if someone uses Emacs to retrieve email
> over POP, they surely know what they are doing.

I'm afraid not. Emacs users typically do not know that POP3 mail retrieval works only in unencrypted mode and is inherently insecure. For example, this security problem is not specifically mentioned in:

https://www.emacswiki.org/emacs/GettingMail
https://www.gnu.org/software/emacs/manual/html_node/emacs/Movemail.html

which are among the first places that users are likely to look.

Even expert users are likely to be tripped up by this. Although I've been using Emacs since the 1980s, it came as a surprise to me that POP3 email retrieval does not support encryption. I thought that it just worked (as it works in virtually every other email client).

You're right that configuring --without-pop would be a regression. However, it's a regression that is called for in this particular case.
Note You need to log in before you can comment on or make changes to this bug.