Comment 5 for bug 24220

Message-ID: <email address hidden>
Date: Wed, 19 Oct 2005 13:30:15 +0200
From: Alexander Sack - Debian Bugmail <email address hidden>
To: Geoff Crompton <email address hidden>,
 <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#334621: mozilla-thunderbird: SMTP down negotiation weakness

severity 334621 important
thanks

On Wed, Oct 19, 2005 at 10:42:06AM +1000, Geoff Crompton wrote:
> Package: mozilla-thunderbird
> Version: 1.0.2-2.sarge1.0.6
> Severity: grave
> Justification: user security hole
>
> Thunderbird reverts to plain authentication for SMTP, in order to
> provide more compatability for SMTP servers that don't support crypt
> auth. However no warning is given to user, and there is no way to
> overide this behaviour, so it is very easy for users passwords to be
> sent in clear text.
>
> This is in mozillas bugzilla:
> https://bugzilla.mozilla.org/show_bug.cgi?id=311657
>
> It seems that at the moment upstream isn't too concerned about it. But
> it sure as heck alarms me.
>
> Researcher who discovered it has this page:
> http://www.henlich.de/moz-smtp/
>
> I first saw it mentioned on Security Focus:
> http://www.securityfocus.com/bid/15106
>

I guess your smtp server should support tls to be secure. Though a switch to
force secure authentication would be good IMO, it's not a grave bug, because
thunderbird does not pretend that it uses secure authentication for SMTP at
all.

--
 GPG messages preferred. | .''`. ** Debian GNU/Linux **
 Alexander Sack | : :' : The universal
 <email address hidden> | `. `' Operating System
 http://www.asoftsite.org | `- http://www.debian.org