Bug 162991 - Account creation wizard does not prompt for SSL configuration
Account creation wizard does not prompt for SSL configuration
Status: CLOSED UPSTREAM
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: thunderbird (Show other bugs)
4.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Christopher Aillon
https://bugzilla.mozilla.org/show_bug...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-07-11 20:35 EDT by Chris Snook
Modified: 2007-11-30 17:07 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-05-16 09:37:10 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Mozilla Foundation 221030 None None None Never

  None (edit)
Description Chris Snook 2005-07-11 20:35:06 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050524 Fedora/1.0.4-4 Firefox/1.0.4

Description of problem:
The Thunderbird account creation wizard does not ask the user if they would like to use SSL for the connection to the server.  Upon completion of the wizard, Thunderbird attempts to open the account on the server, and prompts the user for the password, which will then be sent in cleartext across the network.  This inadequacy can (and routinely does) trick even knowledgeable, security-conscious users into sending a password across the network unencrypted.

This has been discussed at great length (over multiple years) by Mozilla developers and users, but it doesn't seem to be a high development priority, even though there are already patches provided:

https://bugzilla.mozilla.org/show_bug.cgi?id=221030

Version-Release number of selected component (if applicable):
thunderbird-1.0.2-1.4.1

How reproducible:
Always

Steps to Reproduce:
1. Create IMAP (or POP or NNTP) account in Thunderbird
2. Watch Thunderbird prompt you for the password and send it in cleartext before you have the opportunity to configure SSL  

Actual Results:  I was not given the option to configure SSL, and I was asked for my password, which was submitted to the server unencrypted.

Expected Results:  The wizard should have permitted me to set SSL options prior to attempting to authenticate with the server.

Additional info:

This also occurs on Fedora Core 4.  Not sure if severity should be "security" or "enhancement".
Comment 1 Matěj Cepl 2007-05-16 09:36:25 EDT
Long-time discussed upstream bug is certainly a good candidate for being closed
as CLOSE/UPSTREAM (see
https://bugzilla.redhat.com/bugzilla/page.cgi?id=fields.html#upstream for more
explanation what this state means).

Note You need to log in before you can comment on or make changes to this bug.