Hello,
I have files this bug report more than 7 months ago and no progress have
been seen so far, depite several new versions of the package have been
published. The bug was files against version 52.2.1, were are now
at 52.6.0.
I really think this is big problem and even a security threat. The
current behaviour forces user to either put the exact same password
to several accounts (hence someone guessing one password will get
access to all accounts and their confidential informations) or to
store passwords (and by the way thunderbird seems to not even be able
to use passwords it already stored, it keeps asking for them, despite
having already registered them, pre-filling all entries it its popup
and checking by itself the "store password field", but this is another
story).
May be I was not clear enough in the first report, so lets try again.
I have one (really only ONE) server that holds several caldav accounts,
say "work", "teaching", "health", "legal", "shared-with-family",
"shared-with-business-partners", "shared-with-friends", "you-name-it".
Some calendars are accessed not only by me, but by other people and the
people having access to "shared-with-business-partners" should not have
access to "shared-with-family", so the passwords are different.
the only work-around would be to use the same username/password for
all calendars, but this would imply the confidential informations from
one calendar becomes available to people having access to another
calendar, even when they should not be able to access it. And this
happens regardless of their cladav client: the thunderbird bug forces
to configure the *server* in an insecure way because it is the only
way thunderbird will be able to access properly a bunch of calendars
hosted by a single server.
The current behaviour only ask me for a pair username/password *without*
even telling me to which calendar name correspond each popup. Upon
launching thunderbird, I get a bunch of requests, all the same, only
ginving me the name of the server, but this name is the same for all
calendars, so I cannot guess.
If I try pairs of usernames/password at random, I even get kicked of
the server after too many attempts due to protections like fail2ban.
Before July 2017, the requests included the name for which the password
was requested (i.e. here the calendar name) in the popup asking for
the credentials. The current behaviour is akin to a program telling you:
I need a password but I will not tell you what for, just give one to me
and I will not even tell you what I will do with it
Removing from the credentials request popup the information allowing to
provide the correct credentials is counter-productive and, imho,
decreases security. As explained above, either you allow everyone to see
all your confidential information because you end up using the same
password for everything, or you don't have access to your own data
because you are kicked off the server after too many failed attempts.
best regards,
Luc
