From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050524 Fedora/1.0.4-4 Firefox/1.0.4 Description of problem: The Thunderbird account creation wizard does not ask the user if they would like to use SSL for the connection to the server. Upon completion of the wizard, Thunderbird attempts to open the account on the server, and prompts the user for the password, which will then be sent in cleartext across the network. This inadequacy can (and routinely does) trick even knowledgeable, security-conscious users into sending a password across the network unencrypted. This has been discussed at great length (over multiple years) by Mozilla developers and users, but it doesn't seem to be a high development priority, even though there are already patches provided: https://bugzilla.mozilla.org/show_bug.cgi?id=221030 Version-Release number of selected component (if applicable): thunderbird-1.0.2-1.4.1 How reproducible: Always Steps to Reproduce: 1. Create IMAP (or POP or NNTP) account in Thunderbird 2. Watch Thunderbird prompt you for the password and send it in cleartext before you have the opportunity to configure SSL Actual Results: I was not given the option to configure SSL, and I was asked for my password, which was submitted to the server unencrypted. Expected Results: The wizard should have permitted me to set SSL options prior to attempting to authenticate with the server. Additional info: This also occurs on Fedora Core 4. Not sure if severity should be "security" or "enhancement".
Long-time discussed upstream bug is certainly a good candidate for being closed as CLOSE/UPSTREAM (see https://bugzilla.redhat.com/bugzilla/page.cgi?id=fields.html#upstream for more explanation what this state means).