On Wed, Oct 19, 2005 at 10:42:06AM +1000, Geoff Crompton wrote:
> Package: mozilla-thunderbird
> Version: 1.0.2-2.sarge1.0.6
> Severity: grave
> Justification: user security hole
>
> Thunderbird reverts to plain authentication for SMTP, in order to
> provide more compatability for SMTP servers that don't support crypt
> auth. However no warning is given to user, and there is no way to
> overide this behaviour, so it is very easy for users passwords to be
> sent in clear text.
>
> This is in mozillas bugzilla:
> https://bugzilla.mozilla.org/show_bug.cgi?id=311657
>
> It seems that at the moment upstream isn't too concerned about it. But
> it sure as heck alarms me.
>
> Researcher who discovered it has this page:
> http://www.henlich.de/moz-smtp/
>
> I first saw it mentioned on Security Focus:
> http://www.securityfocus.com/bid/15106
>
I guess your smtp server should support tls to be secure. Though a switch to
force secure authentication would be good IMO, it's not a grave bug, because
thunderbird does not pretend that it uses secure authentication for SMTP at
all.
--
GPG messages preferred. | .''`. ** Debian GNU/Linux **
Alexander Sack | : :' : The universal
<email address hidden> | `. `' Operating System http://www.asoftsite.org | `- http://www.debian.org
Message-ID: <email address hidden> thunderbird: SMTP down negotiation weakness
Date: Wed, 19 Oct 2005 13:30:15 +0200
From: Alexander Sack - Debian Bugmail <email address hidden>
To: Geoff Crompton <email address hidden>,
<email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#334621: mozilla-
severity 334621 important
thanks
On Wed, Oct 19, 2005 at 10:42:06AM +1000, Geoff Crompton wrote: /bugzilla. mozilla. org/show_ bug.cgi? id=311657 www.henlich. de/moz- smtp/ www.securityfoc us.com/ bid/15106
> Package: mozilla-thunderbird
> Version: 1.0.2-2.sarge1.0.6
> Severity: grave
> Justification: user security hole
>
> Thunderbird reverts to plain authentication for SMTP, in order to
> provide more compatability for SMTP servers that don't support crypt
> auth. However no warning is given to user, and there is no way to
> overide this behaviour, so it is very easy for users passwords to be
> sent in clear text.
>
> This is in mozillas bugzilla:
> https:/
>
> It seems that at the moment upstream isn't too concerned about it. But
> it sure as heck alarms me.
>
> Researcher who discovered it has this page:
> http://
>
> I first saw it mentioned on Security Focus:
> http://
>
I guess your smtp server should support tls to be secure. Though a switch to
force secure authentication would be good IMO, it's not a grave bug, because
thunderbird does not pretend that it uses secure authentication for SMTP at
all.
-- www.asoftsite. org | `- http:// www.debian. org
GPG messages preferred. | .''`. ** Debian GNU/Linux **
Alexander Sack | : :' : The universal
<email address hidden> | `. `' Operating System
http://