Version: GIT (master) (using Devel) OS: All When you open the accountwizard it accesses api.opendesktop.org before you do anything. This is observable when you do not have a valid certificate for api.opendesktop.org installed it will bring up the Server Authentication dialog. This is even with Enterprise build options where "Find provider settings on the Internet" is disabled by default. This is a security problem. Reproducible: Always Steps to Reproduce: Do not have any valid certificate for api.opendesktop.org. Open the accountwizard. Expected Results: The accountwizard should not connect to anything apart from the server you configure if you do not explicitly tell it to.
Created attachment 59102 [details] Debugoutput of accountwizard startup
As the debug output shows not only does it try to connect to api.opendesktop.org but it also opens an unencrypted connection to "http://download.kde.org/ocs/providers.xml" Note again this is before any user interaction and right after the Accountwizard startup.
Created attachment 59103 [details] Debug output with the correct MIME type
CC'ed security@kde.org since i can not assess how dangerous GetHotNewStuff really is.
It's not nice behavior but I don't see it being a security problem. Lots of things connect to a service by default; the problem here sounds like it's simply that the toggle to disable that behavior doesn't work correctly. It's a bug, but it should definitely be fixed.
This bug has only been reported for versions before 4.14, which have been unsupported for at least two years now. Can anyone tell if this bug still present? If noone confirms this bug for a Framework-based version of kdepim (version 5.0 or later, as part of KDE Applications 15.08 or later), it gets closed in about three months.
Just as announced in my last comment, I close this bug. If you encounter it again in a recent version (at least 5.0 aka 15.08), please open a new one unless it already exists. Thank you for all your input.