https://bugs.kde.org/show_bug.cgi?id=487882
Bug ID: 487882
Summary: plaintext HTTP request in kmail-account-wizard
Classification: Applications
Product: kmail2
Version: 5.24.4
Platform: unspecified
OS: Unspecified
Status: REPORTED
Severity: major
Priority: NOR
Component: general
Assignee: kdepim-b...@kde.org
Reporter: beard...@gmail.com
Target Milestone: ---
Summary:
Send a plain HTTP request
(https://github.com/KDE/kmail-account-wizard/blob/master/src/ispdbservice.cpp#L29)
to retrieve the mail server's configuration file in the K-mail account wizard.
May result:
Consider an attack scenario in which the attacker and the victim are both
located in a coffee shop, sharing the same Wi-Fi network. The attacker can
tamper with any content transmitted over the plaintext connection. For example,
specify the target mail server as an attacker-controlled server.
If it is deliberate not to implement HTTPS, what is the reason for doing so?
--
You are receiving this mail because:
You are watching all bug changes.
