Thought about providing account identification when doing autoconfig request
Daniel Vrátil
dvratil at kde.org
Fri Feb 8 16:55:56 GMT 2019
Hi Cork,
On Friday, February 8, 2019 11:15:37 AM CET Cork wrote:
> Currently when kmail makes a provider autoconfig request[1] it doesn't
> provide the emailaddress query.
>
> I wounder if it would be acceptable to provide it or possibly the emailmd5
> evolution[2] is starting to use now.
I share Milan's privacy concern about leaking the email address on plain HTTP
connection. I don't see how his fix to send both the emailaddress and emailmd5
in the query fixes the privacy issue as the plaintext email address is still
in the URL...
I would propose to only send the emailaddress query when connecting via HTTPS.
Would that be good enough? The ispdb.cpp code should also be extended to first
try HTTPS and fall-back to HTTP if necessary.
I'm don't think sending emailmd5 makes much sense, since it's an extension
that Milan has invented just now, so obviously no provider supports it or even
knows about it. However it's cheap so we can at least send it on the HTTP
connection....
Cheers,
Dan
>
> [1]
> https://cgit.kde.org/kmail-account-wizard.git/tree/src/ispdb/ispdb.cpp#n82
> [2] https://gitlab.gnome.org/GNOME/evolution/issues/306
>
> // Cork
--
Daniel Vrátil
www.dvratil.cz | dvratil at kde.org
IRC: dvratil on Freenode (#kde, #kontact, #akonadi, #fedora-kde)
GPG Key: 0x4D69557AECB13683
Fingerprint: 0ABD FA55 A4E6 BEA9 9A83 EA97 4D69 557A ECB1 3683
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.kde.org/pipermail/kde-pim/attachments/20190208/be860c69/attachment.sig>
More information about the kde-pim
mailing list