Thought about providing account identification when doing autoconfig request

[Cork]

Any more comments on this? I would like to find an acceptable solution if possible.

// Cork

----- Original Message -----
> From: "Cork" <kde at box.qzdev.se>
> To: "kde-pim" <kde-pim at kde.org>
> Sent: Saturday, 9 February, 2019 19:44:40
> Subject: Re: Thought about providing account identification when doing autoconfig request

> Ya, I don't really like there solution for emailaddress, but sending
> emailaddress over https
> or just using emailmd5 over http(s) is what i'm asking about.
> 
> // Cork
> 
> ----- Original Message -----
>> From: "martin" <martin at ilait.se>
>> To: "kde-pim" <kde-pim at kde.org>
>> Sent: Friday, 8 February, 2019 21:46:33
>> Subject: Re: Thought about providing account identification when doing
>> autoconfig request
> 
>> Hi,
>> 
>> On Feb 8, 2019, at 5:55 PM, Daniel Vrátil dvratil at kde.org wrote:
>>> I share Milan's privacy concern about leaking the email address on plain HTTP
>>> connection. I don't see how his fix to send both the emailaddress and emailmd5
>>> in the query fixes the privacy issue as the plaintext email address is still
>>> in the URL...
>> 
>> Evolution actually sends a fake local part (EVOLUTIONUSER) for the email
>> address, so the address is never sent in plaintext. The current version uses in
>> the query '?emailaddress=EVOLUTIONUSER at domain.com' while with the new commit it
>> uses '?emailaddress=EVOLUTIONUSER at domain.com&emailmd5=XXXXXXX'.
>> 
>>> I would propose to only send the emailaddress query when connecting via HTTPS.
>>> Would that be good enough? The ispdb.cpp code should also be extended to first
>>> try HTTPS and fall-back to HTTP if necessary.
>> 
>> It makes sense and would solve the problem without making unnecessary changes to
>> how the Autoconfiguration is supposed to work according to the Mozilla
>> documentation. Our config service is redirecting http requests to https anyway.
>> 
>> --
>> Martin Stenröse
> > martin at ilait.se