Red Hat Bugzilla – Bug 477740
Disable FIPS should require inputting right password
Last modified: 2009-01-21 20:14:41 EST
Description of problem:
If FIPS is enabled, it should be designed to safeguard reading the mails via its password.However, if user click "Cancel" instead of inputting FIPS password when launching thunderbird, and go to Disable FIPS which does not require input password,and then he could read any mail and do any operation arbitrarily.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. enable FIPS and set a password
2. restart thunderbird and click "Cancel" when need input FIPS password
3. and then go to Disable FIPS, read any mail as you want
Anyone could read the mails of a FIPS protected account by just disabling it without inputting password.
It should require the password when disable FIPS.
This sounds like a good idea to me on first sight, but it should be implemented at the upstream project, therefore I've filed bug: