User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050515 Firefox/1.0.4 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050515 Firefox/1.0.4 Using the account generation wizard in Thunderbird with the wizard does not allow the choise of SSL with IMAP. After account generation it tries to log in, and innocently asks for a password to be sent over the net on the clear. I have compromised two passwords this way now, and a third one by a mistake in outgoing SMTP configuration. To make matters worse, each compromise occurred on an easily snoopable WLAN. A part of a fix would be to allow the account generation wizard to activate SSL, which I noticed is being discussed already. However, it will not shield against mistakes in configuration. I think the correct behaviour for Thunderbird would be to display a warning whenever a a password is about to be sent over the net on the clear. Not much unlike Firefox, which displays such a warning whenever something is being sent on the clear. Reproducible: Always

Duplicate of/related to bug 221030?

(In reply to comment #1) > Duplicate of/related to bug 221030? Related to, yes. Duplicate of, no. 221030 just makes it worse. A warning would, in my opinion, be appropriate whenever sending cleartext passwords, wether the wizard allows the initial setup of SSL or not. These innocent-looking password requests have burned me thrice already.

With the proliferation of WiFi hotspot access this is a very good idea. It could be set up like the Firefox unencrypted submit warning: warn the first time (per account) then go silent unless the user checks the box. The latter is to prevent it from getting too annoying since so many places don't support encrypted mail servers, nor is it really necessary for people with direct dial-up connections to their ISP's mail server. But the one-time warning will raise awareness, and perhaps get more people to think about the issue and put pressure on ISP's who don't support SSL.

*** Bug 308261 has been marked as a duplicate of this bug. ***

(In reply to comment #3) > It could be set up like the Firefox unencrypted submit warning: warn the > first time (per account) then go silent unless the user checks the box. This would be exactly what I'd like to see.