User-Agent: Mozilla/5.0 (X11; U; NetBSD i386; en-US; rv:1.5.1) Gecko/20031214 Build Identifier: Mozilla/5.0 (X11; U; NetBSD i386; en-US; rv:1.5.1) Gecko/20031214 Connecting without SSL to an IMAP server that advertises only [CAPABILITY IMAP4REV1 LOGIN-REFERRALS AUTH=LOGIN] succeeds. It succeeds even if Use Secure Authentication is checked, and tcpdump shows "authenticate login" being done over the unencrypted connection. This is more serious than bug 259982, because that bug is simply about getting no warning when sending unencrypted credentials, if you haven't told Mozilla not to send them. This is about Mozilla going ahead and sending unencrypted credentials (also without warning) after you *have* told it not to do so. This IMAP server admin clearly needs to read RFC3501 sec 6.2.3, where it says Unless either the STARTTLS command has been negotiated or some other mechanism that protects the session from password snooping has been provided, a server implementation MUST implement a configuration in which it advertises the LOGINDISABLED capability and does NOT permit the LOGIN command. Server sites SHOULD NOT use any configuration which permits the LOGIN command without such a protection mechanism against password snooping. But Mozilla should honor the Use Secure Authentication option even when dealing with a braindamaged server. It does with POP3--it will just say secure authentication not supported, and give up. That's what it should do with IMAP too. "authenticate login" is not exactly the same as the LOGIN command. "authenticate login" sends the login and password in base64 form, expecting a login and password prompt in the same form. Base64 may be useful for including special characters in the login or password string, but it is not encryption; it is 100% reversible with no key involved, and if I know that, the snoops do too. "authenticate login" is perfectly acceptable over an SSL connection, but in the clear it definitely does not qualify for Use Secure Authentication. Reproducible: Always Steps to Reproduce: Tcpdump a 'check messages' connection to an IMAP server that advertises only AUTH=LOGIN, with Use Secure Authentication checked and Use SSL unchecked. Actual Results: OK [CAPABILITY IMAP4REV1 LOGIN-REFERRALS AUTH=LOGIN] world.securenet-server.ne t IMAP4rev1 2003.339-cpanel at Tue, 5 Oct 2004 09:38:13 -0400 (EDT) authenticate login + VXNlciBOYW1lAA== [Base64: User Name] Y2hhcCthbmFzdGlnbWF0aXgubmV0 [Base64: chap+anastigmatix.net] + UGFzc3dvcmQA [Base64: Password] c3QwZ3Rod2F0 [Base64: st0gthwat now changed :) ] OK [CAPABILITY IMAP4REV1 IDLE NAMESPACE MAILBOX-REFERRALS BINARY UNSELECT SCAN SORT THREAD=REFERENCES THREAD=ORDEREDSUBJECT MULTIAPPEND] User chap authenticat ed Expected Results: Refuse to connect, since Use Secure Authentication is checked and the server does not support it. See also bug 205944

This should already be fixed according to bug 225809. Please test this with a more recent build and report your results.

Ditto comment 1, a build from last year is way too old. *** This bug has been marked as a duplicate of 225809 ***

Re: comment 1, my bad, when I searched for duplicates I forgot to include closed ones. Unfortunately there are a lot of things on my plate ahead of fussing with finding or building a more recent native mozilla for my platform, or fussing with the linux emulation to run a linux one. For now I'll believe that the issue was resolved with bug 225809 - if I ever find out otherwise, I'll report it. Sorry for the duplicate.