Le 2014-06-23 20:38, Jim Scadden a écrit :
Rémi, please could you advise if you would still like the behaviour to be modified? If so, given that the user has already stated on the first dialog box that they wish to connect to the server, and closing the 2nddialog causes the certificate to only be accepted for the current session, would you be happy for this bug to be tagged as 'wishlist'since this is something could potentially require a substantial changeupstream?
I am not sure I see the wisdom in tagging a security problem as wishlist. "Current session" is more than enough for a MITM to the steal the IMAP or POP credentials and hijack the account. And in this case, it seems there is hardly any way out for the user: Except for xkill, I cannot think of any way to reject an untrusted connection here.
I'd argue the security team is in a better position than me to determine what to do though.
-- Rémi Denis-Courmont