Thought about providing account identification when doing autoconfig request
Cork
kde at box.qzdev.se
Sat Feb 9 18:44:40 GMT 2019
Ya, I don't really like there solution for emailaddress, but sending emailaddress over https
or just using emailmd5 over http(s) is what i'm asking about.
// Cork
----- Original Message -----
> From: "martin" <martin at ilait.se>
> To: "kde-pim" <kde-pim at kde.org>
> Sent: Friday, 8 February, 2019 21:46:33
> Subject: Re: Thought about providing account identification when doing autoconfig request
> Hi,
>
> On Feb 8, 2019, at 5:55 PM, Daniel Vrátil dvratil at kde.org wrote:
>> I share Milan's privacy concern about leaking the email address on plain HTTP
>> connection. I don't see how his fix to send both the emailaddress and emailmd5
>> in the query fixes the privacy issue as the plaintext email address is still
>> in the URL...
>
> Evolution actually sends a fake local part (EVOLUTIONUSER) for the email
> address, so the address is never sent in plaintext. The current version uses in
> the query '?emailaddress=EVOLUTIONUSER at domain.com' while with the new commit it
> uses '?emailaddress=EVOLUTIONUSER at domain.com&emailmd5=XXXXXXX'.
>
>> I would propose to only send the emailaddress query when connecting via HTTPS.
>> Would that be good enough? The ispdb.cpp code should also be extended to first
>> try HTTPS and fall-back to HTTP if necessary.
>
> It makes sense and would solve the problem without making unnecessary changes to
> how the Autoconfiguration is supposed to work according to the Mozilla
> documentation. Our config service is redirecting http requests to https anyway.
>
> --
> Martin Stenröse
> martin at ilait.se
More information about the kde-pim
mailing list