Open
Bug 962763
Opened 11 years ago
Updated 2 years ago
Security flaw: Thunderbird suggests user drop STARTTLS when SMTP connection is hijacked
Categories
(MailNews Core :: Security, defect)
Tracking
(Not tracked)
NEW
People
(Reporter: silverlark, Unassigned)
Details
(Keywords: sec-want)
User Agent: Mozilla/5.0 (Windows NT 5.1; rv:26.0) Gecko/20100101 Firefox/26.0 (Beta/Release)
Build ID: 20131205075310
Steps to reproduce:
For some reason my outgoing SMTP connection sometimes gets hijacked - I've tested it with telnet: when I try to connect to my SMTP server at port 25 I get 220 SMTP response from an unknown server. In such cases Thunderbird behaves in a hazardous way. My server advertises STARTTLS upon EHLO. The hijacking server doesn't.
Actual results:
Thunderbird shows a message box that says: "Unable to establish a secure link with SMTP server ... using STARTTLS since it doesn't advertise that feature. Switch STARTTLS off for that server or contact your service provider." But switching STARTTLS off would reveal user's password to the intruder.
Expected results:
The message should say "Unable to establish a secure link with SMTP server ... using STARTTLS since it doesn't advertise that feature. That couold mean that your connection has been intercepted by an intruder. If you know what's going on, you may try switching STARTTLS off for that server; otherwise, contact your service provider."
Updated•11 years ago
|
Component: Untriaged → Security
Updated•11 years ago
|
Flags: needinfo?(mbanner)
Comment 1•11 years ago
|
||
silverlark: Presumably Thunderbird doesn't actually connect to the insecure server?
If so, I think this is not a security issue, just bad/unclear advice, and we could do better on that message.
The message is here in the code: http://hg.mozilla.org/comm-central/annotate/b57fc63e6aba/mail/locales/en-US/chrome/messenger/messengercompose/composeMsgs.properties#l176
So I think we could tidy that up a bit.
Flags: needinfo?(mbanner) → needinfo?(silverlark)
Reporter | ||
Comment 2•11 years ago
|
||
Thunderbird does connect to the hijacking server, otherwise it would not know that it doesn't advertise STARTTLS as expected. But that's understandable since Thunderbird can't check which server it's connected to with plain SMTP. What is important is that it should properly warn the user (like Firefox does, for example).
So yes, the message should be fixed.
Flags: needinfo?(silverlark)
Updated•11 years ago
|
Group: core-security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: sec-want
Product: Thunderbird → MailNews Core
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•