Message-Id: <email address hidden>
Date: Wed, 19 Oct 2005 10:42:06 +1000
From: Geoff Crompton <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: mozilla-thunderbird: SMTP down negotiation weakness
Package: mozilla-thunderbird
Version: 1.0.2-2.sarge1.0.6
Severity: grave
Justification: user security hole
Thunderbird reverts to plain authentication for SMTP, in order to
provide more compatability for SMTP servers that don't support crypt
auth. However no warning is given to user, and there is no way to
overide this behaviour, so it is very easy for users passwords to be
sent in clear text.
Message-Id: <email address hidden> thunderbird: SMTP down negotiation weakness
Date: Wed, 19 Oct 2005 10:42:06 +1000
From: Geoff Crompton <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: mozilla-
Package: mozilla-thunderbird
Version: 1.0.2-2.sarge1.0.6
Severity: grave
Justification: user security hole
Thunderbird reverts to plain authentication for SMTP, in order to
provide more compatability for SMTP servers that don't support crypt
auth. However no warning is given to user, and there is no way to
overide this behaviour, so it is very easy for users passwords to be
sent in clear text.
This is in mozillas bugzilla: /bugzilla. mozilla. org/show_ bug.cgi? id=311657
https:/
It seems that at the moment upstream isn't too concerned about it. But
it sure as heck alarms me.
Researcher who discovered it has this page: www.henlich. de/moz- smtp/
http://
I first saw it mentioned on Security Focus: www.securityfoc us.com/ bid/15106
http://