Hello,
On Sat, 2015-08-22 at 08:05 -0700, Alice Wonder wrote:
Thunderbird has a MITM vulnerability with its otherwise rather groovy auto-configuration feature.
The problem is that it makes requests via HTTP to retrieve the auto configuration information.
This allows a black hat (e.g. the NSA) to modify the results sent to the client, and the client has no way to verify the results have not been tampered with.
Thank you for pointing out this vulnerability. However, https://lists.mozilla.org/listinfo/dev-apps-thunderbird seems like a more appropriate place to discuss your concerns. I doubt Red Hat will address this issue without upstream involvement and I'm sure CentOS will not.
Regards, Leonard.