Thought about providing account identification when doing autoconfig request
Daniel Vrátil
dvratil at kde.org
Wed Feb 13 11:03:55 GMT 2019
Hi,
On Wednesday, February 13, 2019 7:26:20 AM CET Cork wrote:
> Any more comments on this? I would like to find an acceptable solution if
> possible.
>
<snip>
> >
> > Ya, I don't really like there solution for emailaddress, but sending
> > emailaddress over https
> > or just using emailmd5 over http(s) is what i'm asking about.
The approach of anonymized emailaddress + emailmd5 on HTTP and
full emailaddress + emailmd5 on HTTPS sounds good to me.
Cheers,
Daniel
> >
> > // Cork
> >
> > ----- Original Message -----
> >
> >> From: "martin" <martin at ilait.se>
> >> To: "kde-pim" <kde-pim at kde.org>
> >> Sent: Friday, 8 February, 2019 21:46:33
> >> Subject: Re: Thought about providing account identification when doing
> >> autoconfig request
> >>
> >> Hi,
> >>
> >> On Feb 8, 2019, at 5:55 PM, Daniel Vrátil dvratil at kde.org wrote:
> >>> I share Milan's privacy concern about leaking the email address on plain
> >>> HTTP connection. I don't see how his fix to send both the emailaddress
> >>> and emailmd5 in the query fixes the privacy issue as the plaintext
> >>> email address is still in the URL...
> >>
> >> Evolution actually sends a fake local part (EVOLUTIONUSER) for the email
> >> address, so the address is never sent in plaintext. The current version
> >> uses in the query '?emailaddress=EVOLUTIONUSER at domain.com' while with
> >> the new commit it uses
> >> '?emailaddress=EVOLUTIONUSER at domain.com&emailmd5=XXXXXXX'.
> >>
> >>> I would propose to only send the emailaddress query when connecting via
> >>> HTTPS. Would that be good enough? The ispdb.cpp code should also be
> >>> extended to first try HTTPS and fall-back to HTTP if necessary.
> >>
> >> It makes sense and would solve the problem without making unnecessary
> >> changes to how the Autoconfiguration is supposed to work according to
> >> the Mozilla documentation. Our config service is redirecting http
> >> requests to https anyway.
> >>
> >> --
> >> Martin Stenröse
> >>
> > > martin at ilait.se
--
Daniel Vrátil
www.dvratil.cz | dvratil at kde.org
IRC: dvratil on Freenode (#kde, #kontact, #akonadi, #fedora-kde)
GPG Key: 0x4D69557AECB13683
Fingerprint: 0ABD FA55 A4E6 BEA9 9A83 EA97 4D69 557A ECB1 3683
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.kde.org/pipermail/kde-pim/attachments/20190213/629bf48a/attachment.sig>
More information about the kde-pim
mailing list