Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#52888 - Password reset emails do not use TLS
Attached to Project:
Arch Linux
Opened by Deactivated account (TechnicalTotoro) - Tuesday, 07 February 2017, 23:03 GMT
Last edited by Doug Newgard (Scimmia) - Wednesday, 08 March 2017, 00:21 GMT
Opened by Deactivated account (TechnicalTotoro) - Tuesday, 07 February 2017, 23:03 GMT
Last edited by Doug Newgard (Scimmia) - Wednesday, 08 March 2017, 00:21 GMT
|
DetailsIt is an accepted and good security standard for emails to use TLS, so at least the password reset emails for this site should use it. A new Gmail feature has alerted me to the fact that it is not used in the emails I receive from this site, most notable the password reset emails which it would be really bad for if they got intercepted and read.
|
This task depends upon
Closed by Doug Newgard (Scimmia)
Wednesday, 08 March 2017, 00:21 GMT
Reason for closing: No response
Wednesday, 08 March 2017, 00:21 GMT
Reason for closing: No response
Comment by Doug Newgard (Scimmia) -
Tuesday, 07 February 2017, 23:08 GMT
I have no idea what site you're talking about.
Comment by Deactivated account (TechnicalTotoro) -
Tuesday, 07 February 2017, 23:11 GMT
This bugzilla or whatever you call it.
Comment by Giancarlo Razzolini (grazzolini) -
Sunday, 26 February 2017, 18:20 GMT
Can you forward me, as attachment, the e-mail you received from flyspray? In all my tests the e-mail sends a link with https:// url. Or do mean the e-mail transport from our server to yours? grazzolini at archlinux dot org
Comment by Deactivated account (TechnicalTotoro) -
Sunday, 26 February 2017, 19:42 GMT
I mean Transport Layer Security as in between the servers. Although I have noticed some of the emails now using it, not all of them do still so perhaps there is a problem with it not properly detecting which servers support TLS and which don't?
Comment by Giancarlo Razzolini (grazzolini) -
Tuesday, 28 February 2017, 01:39 GMT
Well, as far as I know, SMTP should encrypt using best effort, also know as, STARTTLS. But, that's something that depends much more on the receiving SMTP server, than on the sending one. Can you give me some examples of SMTP servers you know e-mails are going through unencrypted so I can see if it's something not configured correctly on our side?