FS#52888 - Password reset emails do not use TLS

Attached to Project: Arch Linux
Opened by Deactivated account (TechnicalTotoro) - Tuesday, 07 February 2017, 23:03 GMT
Last edited by Doug Newgard (Scimmia) - Wednesday, 08 March 2017, 00:21 GMT
Task Type Bug Report
Category Web Sites
Status Closed
Assigned To No-one
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

It is an accepted and good security standard for emails to use TLS, so at least the password reset emails for this site should use it. A new Gmail feature has alerted me to the fact that it is not used in the emails I receive from this site, most notable the password reset emails which it would be really bad for if they got intercepted and read.
This task depends upon

Closed by  Doug Newgard (Scimmia)
Wednesday, 08 March 2017, 00:21 GMT
Reason for closing:  No response
Comment by Doug Newgard (Scimmia) - Tuesday, 07 February 2017, 23:08 GMT
I have no idea what site you're talking about.
Comment by Deactivated account (TechnicalTotoro) - Tuesday, 07 February 2017, 23:11 GMT
This bugzilla or whatever you call it.
Comment by Giancarlo Razzolini (grazzolini) - Sunday, 26 February 2017, 18:20 GMT
Can you forward me, as attachment, the e-mail you received from flyspray? In all my tests the e-mail sends a link with https:// url. Or do mean the e-mail transport from our server to yours? grazzolini at archlinux dot org
Comment by Deactivated account (TechnicalTotoro) - Sunday, 26 February 2017, 19:42 GMT
I mean Transport Layer Security as in between the servers. Although I have noticed some of the emails now using it, not all of them do still so perhaps there is a problem with it not properly detecting which servers support TLS and which don't?
Comment by Giancarlo Razzolini (grazzolini) - Tuesday, 28 February 2017, 01:39 GMT
Well, as far as I know, SMTP should encrypt using best effort, also know as, STARTTLS. But, that's something that depends much more on the receiving SMTP server, than on the sending one. Can you give me some examples of SMTP servers you know e-mails are going through unencrypted so I can see if it's something not configured correctly on our side?

Loading...