Weak default authentication mode

Bug #119358 reported by otzenpunk on 2007-06-08
260
Affects Status Importance Assigned to Milestone
Mozilla Thunderbird
Fix Released
High
thunderbird (Ubuntu)
Wishlist
Mozilla Bugs

Bug Description

Binary package hint: mozilla-thunderbird

When starting Thunderbird the first time, the account wizard neither asks for nor provides by default any attempt to secure the password. SSL/TLS is off and so is "secure authentication" via CRAM-MD5 or such. So the password is sent in clear text at least once, as long as you don't interrupt the password dialog after finishing the wizard and turn on "secure authentication" manually.

Thunderbird should use CRAM-MD5 per default, as long as it is accepted by the server. If it is not, Thunderbird should display a warning, that the password is sent in the clear.

Testet with an IMAP-Box, don't know about POP3 or SMTP.

Forgot to mention. I posted on forums.mozillazine.org but got no reply. I can
volunteer to implement a fix myself if someone can guide me in the right dimension.

In , Karn (karn) wrote :

I agree that this is a very serious problem for many naive users. At least some
very widely used IMAP servers disallow unencrypted connections; I think this is
actually required by the IMAP spec. So the new account wizard should
*definitely* ask the user if the connection is to be encrypted. Better yet, it
should try it both ways and figure it out on its own.

Also, some imap servers (like uw-imapd) require the client to present a
directory name where the IMAP folders are kept, and will not work without it.
This is common enough that the new account wizard should prompt for this setting
as well.

Created an attachment (id=154248)
diff

this has been an annoyance for me too for some time. i have some code that
might be a fix. i'm new to xul and javascript, though - some review would be
nice. seems to be working for me.

there's a modified locale dtd - i only did en-US.

i haven't contributed before, so i don't know the mechanics. i attached some diffs:

/mozilla/mailnews/base/prefs/resources/locale/en-US/AccountWizard.dtd
/mailnews/base/prefs/resources/content/AccountWizard.js
/mailnews/base/prefs/resources/content/AccountWizard.xul
/mailnews/base/prefs/resources/content/aw-server.js
/mailnews/base/prefs/resources/content/aw-done.js

Created an attachment (id=154249)
AccountWizard.js

Created an attachment (id=154250)
AccountWizard.xul

Created an attachment (id=154251)
aw-done.js

Created an attachment (id=154252)
aw-server.js

Can you add an attachment of a screenshot ?

Created an attachment (id=154564)
screenshot - account wizard - server

Created an attachment (id=154565)
screenshot - acct wiz - "done" page

i should mention that i made the code changes to: Mozilla 1.8a3, build 2004072106

so, this isn't against the thunderbird code. my assumption was that this is
something we'd want in moz and thunderbird, and thunderbird branches off of
mozilla, correct?

Lloyd, can we get one complete -u diff for all your changes? I think this
enhancement is something we want...

sorry, i'm not even sure if i have the code anymore. it's been about 18 months.
 i'm not merging this into my own build, i just offered the code in hopes that
it would find itself into the regular build (or at least inspire someone else to
improve/rewrite it), since it's an issue we ran into repeatedly with our users.

hopefully the code that's there is useful, though i suspect someone who's had
more than about an hour of familiarity with the codebase (which is about what i
had) should be able to polish it off pretty quickly.

IAC, i'll search my drive at work in the next couple days.

Created an attachment (id=185891)
mockup of serverinfo page: pop vs imap, pop too long

I have been looking into this. I guess we should allow TLS and secure
authentication also. Problem is, for POP the server info page becomes too long.

So, something would have to move
- move smtp server setting to page of its own?
- global inbox settings?

What do you think?

Created an attachment (id=186130)
proposed fix

Went ahead and created a patch. This patch
- adds the security options for pop/imap
- also adds a checkbox for secure news
- moves the global inbox setting to the finish page

This needs both r and sr right?

Created an attachment (id=186131)
Screenshots for the patch in attachment 186130

(From update of attachment 186130)
switching r/sr - no sense in my looking at this if Scott doesn't want it :-)

David, maybe you can push mscott to at least take a look at this and drop a short statement why this is not feasible/considered?

For the next release, we should consider this. Ideally, we'd do an auto-detection of whether SSL or TLS works, and auto-configure.

David, thanks. you refer with "next release" to thunderbird 2 or next 1.8.0 branch release?

neither - the next (probably major) release after 2.0

otzenpunk (reisswolf-nospam) wrote :

Binary package hint: mozilla-thunderbird

When starting Thunderbird the first time, the account wizard neither asks for nor provides by default any attempt to secure the password. SSL/TLS is off and so is "secure authentication" via CRAM-MD5 or such. So the password is sent in clear text at least once, as long as you don't interrupt the password dialog after finishing the wizard and turn on "secure authentication" manually.

Thunderbird should use CRAM-MD5 per default, as long as it is accepted by the server. If it is not, Thunderbird should display a warning, that the password is sent in the clear.

Testet with an IMAP-Box, don't know about POP3 or SMTP.

Siegfried Gevatter (rainct) wrote :

Thanks for your bug report!

Although, I can't reproduce this problem with Thunderbird 2.0 (20070513). The wizard doesn't ask me for any password, and on the last steep it provides the possibility to select if you want to start downloading mails or not.

Changed in thunderbird:
assignee: nobody → rainct
status: Unconfirmed → Needs Info
otzenpunk (reisswolf-nospam) wrote :

I've got version 1.5.0.12-0ubuntu0.7.04 from the feisty repos here.

Although the password dialog is not part of the wizard, i am not asked if i want to start downloading mail, but the wizard ends and the password dialog opens immediately.

Anyway - that's not my main point. It is that Thunderbird should use some secure way to submit the password by default, because unknowlegeable users won't go to the account settings and choose one by themself.

Siegfried Gevatter (rainct) wrote :

It would be great it you can ask for this directly the Thunderbird developers, you can do so opening a bug there: https://bugzilla.mozilla.org/enter_bug.cgi?product=Thunderbird&format=guided . I'd do it myself but you are probably the best one to report this.

If you do so please post the URL of the new bug here.

Changed in thunderbird:
assignee: rainct → nobody
status: Needs Info → Confirmed
Changed in thunderbird:
status: Unknown → Unconfirmed
Alexander Sack (asac) wrote :

upstream confirmed it in progress for ubuntu

Changed in thunderbird:
assignee: nobody → mozilla-bugs
status: Confirmed → In Progress
Changed in thunderbird:
importance: Undecided → Wishlist

(In reply to comment #21)
> For the next release, we should consider this. Ideally, we'd do an
> auto-detection of whether SSL or TLS works, and auto-configure.

I found this filed as bug 394487 along with a suggestion for a possible scan order. Judging from the increasing number of "cannot connect" posts at MZ forums, and the fact that more and more providers are requiring encryption these days, having more options in the initial account setup is crucial. First-time users may be frustrated twice by first not finding any option in the account wizard to specify the port and encryption method obtained from their providers, then again when the first connection fails. Taking the guesswork out by a scanning mechanism would certainly be the best solution, I agree.

A few more thoughts:
 - Include SMTP in this bug, as providers are more likely to require encryption also for outgoing e-mails these days.
 - Offer port options rather than just encryption, e.g., TLS may be on either port 25 or 587; or, add the port to the attachment 186131 layout.

Possible port options to select in the account wizard:
 - POP3: 110 (implies try TLS), 995 (use SSL)
 - IMAP: 143 (implies try TLS), 993 (use SSL)
 - SMTP: 25 (implies try TLS), 465 (use SSL), 587 (try TLS)

Note that none of the options has "no encryption" by default, assuming the "try TLS" option can be used if TLS is not supported by the server.

Nominating for Tbird 3.

as google is rolling out free imap over ssl to access gmail accounts this suddenly becomes rathter more important... as this convoluted setup instruction reflects:

http://mail.google.com/support/bin/answer.py?answer=77662

Supporting comment #25. However, ideally a solution for the next major release should extend the options for all three protocols (IMAP, POP, SMTP) in the Account Wizard.

Updating the special setup dialogs for Gmail's new IMAP access is handled in bug 400931 as an enhancement request. Given that many - if not most - providers require special port and encryption settings for their services, the issue goes well beyond Gmail. It seems more desirable though to have a solid generic setup interface than trying to provide separate ISP-specific "easy setup" dialogs.

(From update of attachment 186130)
Obsoleting, badly bitrotted.

*** Bug 426497 has been marked as a duplicate of this bug. ***

*** Bug 383841 has been marked as a duplicate of this bug. ***

Changed in thunderbird:
status: New → Invalid

Created an attachment (id=314031)
patch

Created an attachment (id=314032)
new file

Put this file under mailnews/base/prefs/resources/content

Created an attachment (id=314034)
SmtpServerSettings.xul

Put this file under mailnews/base/prefs/resources/content

Created an attachment (id=314036)
screenshot

Created an attachment (id=314037)
screenshot

Boying: to include new files in the patch you can use the "cvsdo add" command and generate the patch with something like cvs diff -upN9. (cvsdo is part of cvsutils)

Also, "Advance" should probably be "Advanced..."

Created an attachment (id=314535)
new patch

1. add include new files
2. change "Advance" to "Advanced"
3. change the access key from "a" to "A"
4. clean up codes in the previous patch

Created an attachment (id=314536)
new screenshot

(From update of attachment 314535)
I've discovered that there's a plan for this; I'll post the URL in a sec. It's based on your patch for bug 426497 but to reduce clutter the global inbox checkbox is moved to the last page and menulists are used instead of radiogroups.

Bug 326076 is another place that switched from a radio group to a menulist.

SSL is getting very common, really think we need to sort this out for tb3.

There are some designs in progres sketched out at:
http://wiki.mozilla.org/MailNews:Account_Wizard
and specifically for email:
http://wiki.mozilla.org/MailNews:Account_Wizard:Email

> (comment #42) http://wiki.mozilla.org/MailNews:Account_Wizard:Email#Page_3

I like that the menu lists use less space and would be extendable for further encryption protocols (if any new ones come up). The authentication on Page 4 is good too and separates connection and authentication better than having both on the same page. However, I still think that the *port* numbers should be offered somewhere, which initially can be set to the respective defaults as done now. Keep in mind that the port may not be uniquely derivable from the encryption protocol used, especially for SMTP (e.g., port 25 vs. 587).

This is Page 3 extended by port fields next to the server name, corresponding to the current Server Settings tab. While comment #34 introduced a separate page with "Advanced" button, this may be a little more "cluttering" but avoids a separate page for the port:

   /Choose:/
   [*] POP [ ] IMAP

   /explanatory text/

   Incoming Server: [ mail.doe.mail ] Port: [110]
   [ ] Use Secure Connection [ TLS, if available \/]

   ----

   /explanatory text/

   Outgoing Server: [ smtp.doe.mail ] Port: [ 25]
   [ ] Use Secure Connection [ TLS, if available \/]

   [[ < Back ]] [[ Next > ]] [[ Cancel ]]

That looks good to me. I don't think it adds too much clutter considering it's necessity.

Can you update the wiki page to reflect this change?

> (comment #45) Can you update the wiki page to reflect this change?

Done. I've also updated Page 6 (summary page) to reflect the additional options, please modify any of those as you see fit.

These proposed revisions will enhance User configuration for the U.S. Dept. of Defense which uses SSL for IMAP and SMTP connections. I suspect that the other governmental Depts are similar.

- some updates, already put into bug 326076 -

The Account Wizard wiki has been updated to reflect some discussion coming out
of the wiki talk page. This includes a better menu list item.

Also bug 422814 has some work on auto-probe for connection type and port config

I'm not certain of the privacy implications, but perhaps following Outlook 2007's lead and guess the proper ports/security settings, working from more secure to less secure?

moving to b2 - this is completely dependent on the new account config stuff landing, which may or may not happen for b1, but it's not useful to track this separately.

John Vivirito (gnomefreak) wrote :

Updated upstream bug report.

Changed in thunderbird:
status: Invalid → Unknown
John Vivirito (gnomefreak) wrote :

Is this still an issue for anyone?

Changed in thunderbird:
status: Unknown → Confirmed
otzenpunk (reisswolf-nospam) wrote :

> Is this still an issue for anyone?

I think so. I myself use another mail client, but the issue is still present in Intrepid. Just tested it, and it used SASL LOGIN although CRAM-MD5 was available.

Of course, there is an option in the wizard now, where you can disable downloading mail immediately, so you can select this and change the account settings manually before downloading your mail for the first time, but that depends on your knowledge about this stuff.

Joe Public will happily use the default and won't encrypt his passwords at all.

On Fri, Dec 05, 2008 at 01:56:31PM -0000, otzenpunk wrote:
> > Is this still an issue for anyone?
>
> I think so. I myself use another mail client, but the issue is still
> present in Intrepid. Just tested it, and it used SASL LOGIN although
> CRAM-MD5 was available.
>
> Of course, there is an option in the wizard now, where you can disable
> downloading mail immediately, so you can select this and change the
> account settings manually before downloading your mail for the first
> time, but that depends on your knowledge about this stuff.
>
> Joe Public will happily use the default and won't encrypt his passwords
> at all.
>

Pleaes try shredder (tbird 3 preview) ... you can install
thunderbird-3.0 package from ~fta PPA.

 - Alexander

Alexander Sack (asac) wrote :

On Sat, Dec 06, 2008 at 04:38:21PM -0000, Alexander Sack wrote:
> On Fri, Dec 05, 2008 at 01:56:31PM -0000, otzenpunk wrote:
> > > Is this still an issue for anyone?
> >
> > I think so. I myself use another mail client, but the issue is still
> > present in Intrepid. Just tested it, and it used SASL LOGIN although
> > CRAM-MD5 was available.
> >
> > Of course, there is an option in the wizard now, where you can disable
> > downloading mail immediately, so you can select this and change the
> > account settings manually before downloading your mail for the first
> > time, but that depends on your knowledge about this stuff.
> >
> > Joe Public will happily use the default and won't encrypt his passwords
> > at all.
> >
>
> Pleaes try shredder (tbird 3 preview) ... you can install
> thunderbird-3.0 package from ~fta PPA.
>

If you dont know what ~fta PPA means:

 http://launchpad.net/~fta/+archive

 - Alexander

Alexander Sack (asac) wrote :

On Sun, Dec 14, 2008 at 05:12:36PM -0000, Alexander Sack wrote:
> On Sat, Dec 06, 2008 at 04:38:21PM -0000, Alexander Sack wrote:
> > On Fri, Dec 05, 2008 at 01:56:31PM -0000, otzenpunk wrote:
> > > > Is this still an issue for anyone?
> > >
> > > I think so. I myself use another mail client, but the issue is still
> > > present in Intrepid. Just tested it, and it used SASL LOGIN although
> > > CRAM-MD5 was available.
> > >
> > > Of course, there is an option in the wizard now, where you can disable
> > > downloading mail immediately, so you can select this and change the
> > > account settings manually before downloading your mail for the first
> > > time, but that depends on your knowledge about this stuff.
> > >
> > > Joe Public will happily use the default and won't encrypt his passwords
> > > at all.
> > >
> >
> > Pleaes try shredder (tbird 3 preview) ... you can install
> > thunderbird-3.0 package from ~fta PPA.
> >
>
> If you dont know what ~fta PPA means:
>
> http://launchpad.net/~fta/+archive
>
>

tbird 3 beta 1 is there, consider to test please.

 - Alexander

still trying to get this for b2, but not blocking b2

the new mail acount setup wizerd in bug 422814 fixes this.

Changed in thunderbird:
status: Confirmed → Fix Released
Micah Gersten (micahg) wrote :

Setting to Triaged pending release of Thunderbird 3 in Ubuntu.

Changed in thunderbird:
milestone: none → 3.0
Changed in thunderbird (Ubuntu):
status: In Progress → Triaged
Launchpad Janitor (janitor) wrote :
Download full text (6.7 KiB)

This bug was fixed in the package thunderbird - 3.0+nobinonly-0ubuntu1

---------------
thunderbird (3.0+nobinonly-0ubuntu1) lucid; urgency=low

  * New Upstream Release 3.0 (THUNDERBIRD_3_0_RELEASE)
    - LP: #50902 - Thunderbird displays useless dialog
    - LP: #52667 - Thunderbird doesn't support RFC-2369
    - LP: #49033 - Doesn't recognize upper case extension (.JPG)
    - LP: #56465 - Per folder column widths
    - LP: #68456 - CTRL-Shift-K bound to 2 functions
    - LP: #79337 - Typo in Server Information for Add Account Wizard
    - LP: #1084 - No scroll on full headers list
    - LP: #62071 - Middle click on scrollbar pastes instead of jumping
    - LP: #119358 - Weak default authentication mode
    - LP: #120672 - No option to empty junk folder with right click
    - LP: #96566 - movemail doesn't work with default privs
    - LP: #122529 - Non-Thunderbird IMAP folders not visible to Thunderbird
    - LP: #241276 - Not able to paste image into thunderbird compose window
    - LP: #244635 - scrollboxes scroll to offset 0 when resized
    - LP: #259387 - "Edit Message as New" broken for eml messages
    - LP: #120281 - Editing a message from the drafts folder leaves line breaks
    - LP: #115484 - Dialogue boxes too large for 1024x768 resolution
    - LP: #320034 - Mail with self referencing headers breaks threading
    - LP: #160794 - shortcuts different in windows and linux
    - LP: #280987 - thunderbird keeps asking a password when working off-line
    - LP: #369150 - Thunderbird splits email addresses with non-ascii characters
                    and a comma in From: field
    - LP: #135066 - Thunderbird doesn't use Ubuntu icon theme
    - LP: #297301 - after authentication error the password is forgotten
    - LP: #487541 - thunderbird-bin crashed with SIGSEGV (AFS filesystem)
    - LP: #485224 - Thunderbird saves double attachment file name endings on
                    FAT32 and NTFS
    - LP: #482496 - When using SCIM ANTHY, autosaving fails, and then get asked
                    about sending in UTF-8

  [ Fabien Tassin <email address hidden> ]
  * Add build-depends on autoconf2.13, autotolls-dev, mozilla-devscripts
    libglib2.0-dev (>= 2.12), libstartup-notification0-dev, libbz2-dev,
    libpixman-1-dev, libdbus-1-dev (>= 1.0.0), libdbus-glib-1-dev (>= 0.60),
    libhal-dev (>= 0.5.8), libasound2-dev, libreadline5-dev | libreadline-dev,
    libkrb5-dev
  * Update build-depends minimums for libx11-dev (>= 2:1.0),
    libgtk2.0-dev (>= 2.12), zlib1g-dev (>= 1:1.2.3), libpng12-dev (>= 1.2.0),
    libjpeg62-dev (>= 6b), libcairo2-dev (>= 0.5.8), libgnome2-dev (>= 2.16),
    libgnomevfs2-dev (>= 1:2.16), libgnomeui-dev (>= 2.16),
    libnss3-dev (>= 3.12.0~1.9b3)
  * Bump standards version to 3.8.0
  * Replace ${Source-Version} by ${binary:Version} in control file
    - update debian/control
  * Bump requirement for system nspr to >= 4.8 since Mozilla bug 492464 landed
  * Bump requirement for system nss to >= 3.12.3 since Mozilla bug 485052 landed
  * Use in-source hunspell when hunspell 1.2 is not available
  * Add conditionnal support for --with-libxul-sdk controlled by
    $(USE_SYSTEM_XUL)
    - update debian/rules
  * Add p...

Read more...

Changed in thunderbird (Ubuntu):
status: Triaged → Fix Released
Changed in thunderbird:
importance: Unknown → High
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.