Closed
Bug 263000
Opened 20 years ago
Closed 20 years ago
Use Secure Authentication not enforced with IMAP server
Categories
(MailNews Core :: Security, defect)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 225809
People
(Reporter: jflack, Assigned: sspitzer)
Details
User-Agent: Mozilla/5.0 (X11; U; NetBSD i386; en-US; rv:1.5.1) Gecko/20031214
Build Identifier: Mozilla/5.0 (X11; U; NetBSD i386; en-US; rv:1.5.1) Gecko/20031214
Connecting without SSL to an IMAP server that advertises only [CAPABILITY
IMAP4REV1 LOGIN-REFERRALS AUTH=LOGIN] succeeds. It succeeds even if Use Secure
Authentication is checked, and tcpdump shows "authenticate login" being done
over the unencrypted connection.
This is more serious than bug 259982, because that bug is simply about getting
no warning when sending unencrypted credentials, if you haven't told Mozilla not
to send them. This is about Mozilla going ahead and sending unencrypted
credentials (also without warning) after you *have* told it not to do so.
This IMAP server admin clearly needs to read RFC3501 sec 6.2.3, where it says
Unless either the STARTTLS command has been negotiated or
some other mechanism that protects the session from
password snooping has been provided, a server
implementation MUST implement a configuration in which it
advertises the LOGINDISABLED capability and does NOT permit
the LOGIN command. Server sites SHOULD NOT use any
configuration which permits the LOGIN command without such
a protection mechanism against password snooping.
But Mozilla should honor the Use Secure Authentication option even when dealing
with a braindamaged server. It does with POP3--it will just say secure
authentication not supported, and give up. That's what it should do with IMAP too.
"authenticate login" is not exactly the same as the LOGIN command.
"authenticate login" sends the login and password in base64 form, expecting a
login and password prompt in the same form. Base64 may be useful for including
special characters in the login or password string, but it is not encryption; it
is 100% reversible with no key involved, and if I know that, the snoops do too.
"authenticate login" is perfectly acceptable over an SSL connection, but in the
clear it definitely does not qualify for Use Secure Authentication.
Reproducible: Always
Steps to Reproduce:
Tcpdump a 'check messages' connection to an IMAP server that advertises only
AUTH=LOGIN, with Use Secure Authentication checked and Use SSL unchecked.
Actual Results:
OK [CAPABILITY IMAP4REV1 LOGIN-REFERRALS AUTH=LOGIN] world.securenet-server.ne
t IMAP4rev1 2003.339-cpanel at Tue, 5 Oct 2004 09:38:13 -0400 (EDT)
authenticate login
+ VXNlciBOYW1lAA== [Base64: User Name]
Y2hhcCthbmFzdGlnbWF0aXgubmV0 [Base64: chap+anastigmatix.net]
+ UGFzc3dvcmQA [Base64: Password]
c3QwZ3Rod2F0 [Base64: st0gthwat now changed :) ]
OK [CAPABILITY IMAP4REV1 IDLE NAMESPACE MAILBOX-REFERRALS BINARY UNSELECT SCAN
SORT THREAD=REFERENCES THREAD=ORDEREDSUBJECT MULTIAPPEND] User chap authenticat
ed
Expected Results:
Refuse to connect, since Use Secure Authentication is checked and the server
does not support it.
See also bug 205944
Comment 1•20 years ago
|
||
This should already be fixed according to bug 225809. Please test this with a
more recent build and report your results.
Comment 2•20 years ago
|
||
Ditto comment 1, a build from last year is way too old.
*** This bug has been marked as a duplicate of 225809 ***
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
Reporter | ||
Comment 3•20 years ago
|
||
Re: comment 1, my bad, when I searched for duplicates I forgot to include closed
ones. Unfortunately there are a lot of things on my plate ahead of fussing with
finding or building a more recent native mozilla for my platform, or fussing
with the linux emulation to run a linux one. For now I'll believe that the
issue was resolved with bug 225809 - if I ever find out otherwise, I'll report
it. Sorry for the duplicate.
Updated•20 years ago
|
Product: MailNews → Core
Updated•16 years ago
|
Product: Core → MailNews Core
You need to log in
before you can comment on or make changes to this bug.
Description
•