#10836: Enable mail account autoconfig dialog in TorBirdy
-----------------------------+-----------------
Reporter: ben | Owner: ben
Type: enhancement | Status: new
Priority: normal | Milestone:
Component: TorBirdy | Version:
Resolution: | Keywords:
Actual Points: | Parent ID:
Points: |
-----------------------------+-----------------
Comment (by tagnaq):
lunar, thanks for pointing that out.
ben I see your point that (almost?) no ISP is serving their xml files via
HTTPS (currently there is no point to do so since Thunderbird would not
make use of it), but could we at least try HTTPS before falling back to
HTTP instead of hard coding HTTP only? (The security benefit is probably
questionable since this is vulnerable to downgrade attacks..)
What do you think about merging (some?) of tails modifications to the
autoconfig [1] code? (I haven't looked at the code but the design [1]
matches the 'forceHTTPS' suggestion.)
I guess
mailnews.auto_config_ssl_only = true
equals more or less to
'fetchFromISP.enabled = false'
since (almost?) no one is serving their xml files via HTTPS.
If you are saying that not even 1% of users is affected by fetchISP, then
'fetchFromISP.enabled = false' wouldn't hurt to many users I guess.
bitmessage.ch users would be one of them though.
For simplicity I wanted to have fetchISP do HTTPS requests or none at all
('fetchFromISP.enabled = false'), but I could also imagine insecure HTTP
fetches if we impose restrictions on the acceptable hostnames for the
mailservers. (TorBirdy - not Thunderbird - would take care of enforcing
those restrictions - I hope that's possible.)
Mailserver hostnames for the email address user at example.com would have to
match *.example.com.
If it doesn't match we fall back to manual configuration.
I'm wondering how many email addresses would fail this test.. (all custom
domains hosted at gmail?)
If we allow insecure HTTP fetches with that restriction in place we would
make use of ben's 'mailnews.auto_config.fetchFromISP.emailAddressEnabled =
false' to avoid sending the user's email address in plaintext accross the
wire.
A successful attack would require a certificate for a hostname under the
domain of the email address (since we only fetch/send emails via
SSL/STARTTLS).
I realized that autoconfig xml files can be used for more than just
mailserver hostnames and ports/protocols, I'll look at it [2] in more
detail to assess if that
opens any new attack vectors. Ben, is [2] up to date?
[2]
https://wiki.mozilla.org/Thunderbird:Autoconfiguration:ConfigFileFormat
From tails "Modified autoconfig wizard" design paragraph at:
[1] https://tails.boum.org/blueprint/Return_of_Icedove__63__/#index4h3
> When probing a mail provider for an xml config, first try HTTPS, then
http (old behaviour: http only).
> Introduce a boolean pref called mailnews.auto_config_ssl_only (that has
a checkbox in the
> autoconfiguration wizard) that does the following when true:
> Only allow HTTPS when fetching xml configs from mail provider.
> Only allow HTTPS when fetching xml configs from Mozilla's database
(luckily the default URL is using HTTPS).
> Don't check DNS MX records for mail configurations. This may need
some rethinking for DNSSEC.
> Only accept fetched xml configs that use safe email protocols
(SSL/TLS for SMTP/IMAP/POP).
> Only probe the mail server for safe protocols (SSL/TLS for
SMTP/IMAP/POP).
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10836#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online