Bug 459619 - passwords transmitted in the clear
Summary: passwords transmitted in the clear
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Fedora
Classification: Fedora
Component: evolution
Version: 9
Hardware: All
OS: Linux
medium
urgent
Target Milestone: ---
Assignee: Matthew Barnes
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-08-20 16:31 UTC by cje
Modified: 2008-08-21 14:14 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-08-21 14:14:27 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
GNOME Bugzilla 547308 0 None None None Never
GNOME Bugzilla 548838 0 None None None Never

Description cje 2008-08-20 16:31:18 UTC 
Description of problem:

using an LDAP addressbook and non-anonymous authentication evo passes the username and password in the clear in a simple bind request.

since the server requires TLS encryption an 'invalid credentials' response is returned.  evo doesn't prompt for a new password - it just tries again.. continuously, five times per second for as long as evolution is running.

this happens even if "Use secure connection" is set to "TLS encryption".

Version-Release number of selected component (if applicable):
2.22.3.1-1.fc9
Comment 1 Milan Crha 2008-08-21 09:14:37 UTC 
For the issue of "poking server for ever" is an upstream bug [1] which has been committed to the trunk (2.23.x branch) and will be available in 2.24 series.
The other issue with non-TLS bind even explicitly required, I think it's sort of known, but I cannot find the upstream bug for that at the moment.

[1] http://bugzilla.gnome.org/show_bug.cgi?id=547308
Comment 2 cje 2008-08-21 10:55:18 UTC 
thanks for finding that.

as far as i understand it, if we can get the non-TLS thing fixed then the 'poking the server forever' thing will go away anyway since it'll stop getting the 'invalid credentials' response.

i can't find a gnome bug for the non-TLS thing either so i've created one: http://bugzilla.gnome.org/show_bug.cgi?id=548838

can we up the priority on this?  i don't know how many people use LDAP address books non-anonymously but surely an awful lot of people are currently transmitting their passwords in the clear across the public internet without realising it?
Comment 3 Milan Crha 2008-08-21 14:14:27 UTC 
(In reply to comment #2)
> thanks for finding that.
> 
> as far as i understand it, if we can get the non-TLS thing fixed then the
> 'poking the server forever' thing will go away anyway since it'll stop getting
> the 'invalid credentials' response.
 
Yes, that's truth.

> i can't find a gnome bug for the non-TLS thing either so i've created one:
> http://bugzilla.gnome.org/show_bug.cgi?id=548838
> 
> can we up the priority on this?  i don't know how many people use LDAP address
> books non-anonymously but surely an awful lot of people are currently
> transmitting their passwords in the clear across the public internet without
> realising it?

Thanks for filling the bug upstream, I would really like to have this fixed in upstream version, with their acknowledge, so I'll close this as upstream.
I understand your point, but I'm afraid we are quite late in the release cycle, but will see, hopefully someone will fix it soon.
Note You need to log in before you can comment on or make changes to this bug.