This is an email forwarded with permission from the Mozilla
security 
group mailing list, on the subject of the fact that Bugzilla
access is 
now SSL-protected, but bugmail is still transmitted in the
clear.

Gerv

-------- Original Message --------
Subject: Bugmail is less secure than Bug views
Date: Mon, 11 Jun 2007 18:50:56 +0300
From: timeless <timelessgmail.com>
Reply-To: timelessgmail.com
To: security-group <security-groupmozilla.org>

Ben Bucksch wrote:
> We already use SSL for bugzilla, so it's hard to get to
that.

Gervase Markham wrote:
> Except that every comment is sent out as unsecured
bugmail. There is no
> immediate prospect of changing this.

At some point we (myself, a Bugzilla developer, and gerv
also) should
consider how to approach this.

One thing would be to have bugmails simply be envelopes
indicating bug
changes to secure bugs. another would be to enable users to
associate
SMIME/PGP keys with Bugzilla and ask it to SMIME encrypt
mail to them.

-- That's the opt in approach. (kinda like the old days
where https:
for Bugzilla was optional)

The Bugzilla I'm using commercially ostensibly requires
connections
between itself and recipient SMTP servers be secured (and
it's somehow
assumed that all mail that arrives at recipient servers is
then
retrieved securely).

-- That's a mandatory approach. (kinda like today where
https: for
Bugzilla is required)

It would be nice if the security group at some point gave
input about
which path would be preferred. Or how to make such a path.

Note: irc.mozilla.org now has ircs support, and +z which
enables you
to require everyone joining a channel use an SSL tunnel (and
the
security group uses this feature). So given that we use SSL
for real
time communication and for general security views, we
probably should
look getting bugmail to a similar level.
_______________________________________________
Security-group mailing list
Security-groupmozilla.org
http
s://mail.mozilla.org/listinfo/security-group
-
To view or change your list settings, click here:
<http:
//bugzilla.org/cgi-bin/mj_wwwusr?user=bondyahoo.com>

	Anybody who has an SSL cert and advertises TLS support on
their
mail server receives mail with SSL. They can also make their
POP or IMAP
connections with SSL.

	The mail is clear in their inbox, true, but I don't think
this
is a real security concern.

	-Max

On Mon, 11 Jun 2007 17:18:59 +0100 Gervase Markham
<gervmozilla.org>
wrote:
> This is an email forwarded with permission from the
Mozilla security 
> group mailing list, on the subject of the fact that
Bugzilla access
> is now SSL-protected, but bugmail is still transmitted
in the clear.

-- 
http://www.everythin
gsolved.com/
Competent, Friendly Bugzilla Services. And Everything Else,
too.
-
To view or change your list settings, click here:
<http:
//bugzilla.org/cgi-bin/mj_wwwusr?user=bondyahoo.com>

Max Kanat-Alexander wrote:
> 	Anybody who has an SSL cert and advertises TLS support
on their
> mail server receives mail with SSL. They can also make
their POP or IMAP
> connections with SSL.

This is true but, as someone commented on the security list,
there's no 
way to enforce this. In a sense, it's optional rather than
mandatory 
security. It also doesn't help if people have mail
forwarding, or if 
they don't have control of their SMTP server (most people).

The way to do this would, I think, be to allow people to
associate a 
S/MIME or PGP key with their account, which would then be
used to 
encrypt all their bugmail where the bug was in one or more
groups.

Sadly, none of these look ideal:
http://search.cpan.org/search?query=smime&mode=all

We need a library where we pass it the message text and the
key, and get 
the encrypted text back. Most of them seem centred around
files on disk.

Gerv
-
To view or change your list settings, click here:
<http:
//bugzilla.org/cgi-bin/mj_wwwusr?user=bondyahoo.com>

> This is an email forwarded with permission from the
Mozilla security 
> group mailing list, on the subject of the fact that
Bugzilla access is 
> now SSL-protected, but bugmail is still transmitted in
the clear.


i recon we should implement this as a bugzilla plugin --
pass the
message to an external handler after it has been packaged in
mime for
modification, then deliver the modified content.

it can then use whatever's appropiate to sign the message ..
call
openssl, pgp, .net, ...


-b


begin-base64 644 signature.gif
R0lGODlhbQAHAIAAAABPo////ywAAAAAbQAHAAACfAxuGAnch+Bibkn7FL1p

XgVl4Ig1jjlZRoqybgun2Cur5uOunq7u/Ipq7WIyIc7XG9JquEgumPzdlhTf

h0O83kDJaXEm8mRHwXKJy5sac7qYOpT+gtv0n+0ujQOfdqh16caWt0foBViH

N1PRMXimiLUGt3ElVimlgbllWAAAOw==
-
To view or change your list settings, click here:
<http:
//bugzilla.org/cgi-bin/mj_wwwusr?user=bondyahoo.com>

byron wrote:
> i recon we should implement this as a bugzilla plugin
-- pass the
> message to an external handler after it has been
packaged in mime for
> modification, then deliver the modified content.

That seems entirely reasonable.

Gerv
-
To view or change your list settings, click here:
<http:
//bugzilla.org/cgi-bin/mj_wwwusr?user=bondyahoo.com>