Summary: Send a plain HTTP request (https://github.com/KDE/kmail-account-wizard/blob/master/src/ispdbservice.cpp#L29) to retrieve the mail server's configuration file in the K-mail account wizard. May result: Consider an attack scenario in which the attacker and the victim are both located in a coffee shop, sharing the same Wi-Fi network. The attacker can tamper with any content transmitted over the plaintext connection. For example, specify the target mail server as an attacker-controlled server. If it is deliberate not to implement HTTPS, what is the reason for doing so?
see https://wiki.mozilla.org/Thunderbird:Autoconfiguration
(In reply to Laurent Montel from comment #1) > see https://wiki.mozilla.org/Thunderbird:Autoconfiguration Thank you for your reply. However, for a more secure implementation, Kmail should at least try https first and fall back to http requests in case it can't retrieve the configuration file successfully. Also, the latest specification and discussion of autoconfiguration are referenced in: - https://datatracker.ietf.org/doc/draft-bucksch-autoconfig/00/
Git commit 9784f5ab41c3aff435d4a88afb25585180a62ee4 by Laurent Montel. Committed on 03/06/2024 at 11:42. Pushed by mlaurent into branch 'master'. Fix bug 487882: plaintext HTTP request in kmail-account-wizard FIXED-IN: 6.2.0 M +7 -11 src/ispdbservice.cpp M +5 -3 src/ispdbservice.h https://invent.kde.org/pim/kmail-account-wizard/-/commit/9784f5ab41c3aff435d4a88afb25585180a62ee4