GNOME Bugzilla – Bug 783317
Use https for autoconfig API
Last modified: 2017-06-05 15:56:06 UTC
While looking at https://bugzilla.gnome.org/show_bug.cgi?id=760329 I poked around the autoconfig code. It uses an "http" URL. That redirects to https. Let's use https straight away.
Created attachment 352989 [details] [review] patch
Thanks for a bug report. It might be for times when https:// had not been requested (/supported?) by the GNOME server, then no body changed evolution. I also do not think that there is anything private being sent to the server which would really need secure connection, the "attacker" cannot get anything valuable from my point of view, but as long as the GNOME server redirects to https:// anyway I've nothing against using https:// straight away. Created commit 791a6c6 in evo master (3.25.3+) Created commit ea0e608 in evo gnome-3-24 (3.24.3+)
(In reply to Milan Crha from comment #2) > I also do not think that there is anything private being sent to the server > which would really need secure connection, the "attacker" cannot get > anything valuable from my point of view, Well. It depends on your attacker. But it should be trivial to see that the passive adversary learns where your mailbox lives¹. The active adversary can even change where Evolution will send the credentials to in the next step. That can be quite dangerous indeed. 1: With changing to HTTPS we don't gain that much, because Evolution will, in the next step, issue a DNS request which the passive adversary will be able to see, too. But it's still good to make the attack surface smaller. Especially if it comes at very little cost. Thanks for applying the patch so quickly.