Red Hat Bugzilla – Bug 162991
Account creation wizard does not prompt for SSL configuration
Last modified: 2007-11-30 17:07:19 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050524 Fedora/1.0.4-4 Firefox/1.0.4
Description of problem:
The Thunderbird account creation wizard does not ask the user if they would like to use SSL for the connection to the server. Upon completion of the wizard, Thunderbird attempts to open the account on the server, and prompts the user for the password, which will then be sent in cleartext across the network. This inadequacy can (and routinely does) trick even knowledgeable, security-conscious users into sending a password across the network unencrypted.
This has been discussed at great length (over multiple years) by Mozilla developers and users, but it doesn't seem to be a high development priority, even though there are already patches provided:
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Create IMAP (or POP or NNTP) account in Thunderbird
2. Watch Thunderbird prompt you for the password and send it in cleartext before you have the opportunity to configure SSL
Actual Results: I was not given the option to configure SSL, and I was asked for my password, which was submitted to the server unencrypted.
Expected Results: The wizard should have permitted me to set SSL options prior to attempting to authenticate with the server.
This also occurs on Fedora Core 4. Not sure if severity should be "security" or "enhancement".
Long-time discussed upstream bug is certainly a good candidate for being closed
as CLOSE/UPSTREAM (see
https://bugzilla.redhat.com/bugzilla/page.cgi?id=fields.html#upstream for more
explanation what this state means).