Thought about providing account identification when doing autoconfig request
Martin Stenröse
martin at ilait.se
Fri Feb 8 20:46:33 GMT 2019
Hi,
On Feb 8, 2019, at 5:55 PM, Daniel Vrátil dvratil at kde.org wrote:
> I share Milan's privacy concern about leaking the email address on plain HTTP
> connection. I don't see how his fix to send both the emailaddress and emailmd5
> in the query fixes the privacy issue as the plaintext email address is still
> in the URL...
Evolution actually sends a fake local part (EVOLUTIONUSER) for the email address, so the address is never sent in plaintext. The current version uses in the query '?emailaddress=EVOLUTIONUSER at domain.com' while with the new commit it uses '?emailaddress=EVOLUTIONUSER at domain.com&emailmd5=XXXXXXX'.
> I would propose to only send the emailaddress query when connecting via HTTPS.
> Would that be good enough? The ispdb.cpp code should also be extended to first
> try HTTPS and fall-back to HTTP if necessary.
It makes sense and would solve the problem without making unnecessary changes to how the Autoconfiguration is supposed to work according to the Mozilla documentation. Our config service is redirecting http requests to https anyway.
--
Martin Stenröse
martin at ilait.se
More information about the kde-pim
mailing list