Re: [Evolution-hackers] STARTTLS broken, password sent in the clear

[guenther <guenther rudersport de>]

On Tue, 2006-05-09 at 21:41 +0000, Anders Kaseorg wrote:
> Can someone please look at <http://bugzilla.gnome.org/show_bug.cgi?id=339903>?
> When you tell Evolution to use TLS encryption on an IMAP4rev1 server, it sends a
> STARTTLS, then proceeds to ignore the server's response and sends out your
> password in plain text anyway. Obviously, this doesn't work at all, and is a
> security problem.

Please note, that the IMAP4rev named provider is unstable, unmaintained,
and has a lot of known bugs. This one probably should never have been
enabled in stable builds in the first place, as discussed here. There
even is a bug to disable this provider and migrate any existing account
to the IMAP named one.

Both the IMAP and IMAP4rev1 named providers do support the IMAP4r1
protocol. You seriously should use the IMAP provider.

Oh, and I wouldn't hold my breath to get IMAP4rev1 bugs fixed soon... ;)

...guenther


-- 
char *t="\10pse\0r\0dtu\0  ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}