Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SCRAM-SHA-1(-PLUS) + SCRAM-SHA-256(-PLUS) supports #4191

Open
Neustradamus opened this issue Sep 7, 2019 · 7 comments
Open

SCRAM-SHA-1(-PLUS) + SCRAM-SHA-256(-PLUS) supports #4191

Neustradamus opened this issue Sep 7, 2019 · 7 comments
Labels
type: enhancement New features or improvements to existing features.

Comments

@Neustradamus
Copy link

Neustradamus commented Sep 7, 2019
edited

Dear @k9mail team, @thunderbird team,

Can you add supports of :

  • SCRAM-SHA-1
  • SCRAM-SHA-1-PLUS
  • SCRAM-SHA-256
  • SCRAM-SHA-256-PLUS
  • SCRAM-SHA-512
  • SCRAM-SHA-512-PLUS
  • SCRAM-SHA3-512
  • SCRAM-SHA3-512-PLUS

You can add too:

  • SCRAM-SHA-224
  • SCRAM-SHA-224-PLUS
  • SCRAM-SHA-384
  • SCRAM-SHA-384-PLUS

"When using the SASL SCRAM mechanism, the SCRAM-SHA-256-PLUS variant SHOULD be preferred over the SCRAM-SHA-256 variant, and SHA-256 variants [RFC7677] SHOULD be preferred over SHA-1 variants [RFC5802]".

https://xmpp.org/extensions/inbox/hash-recommendations.html

-PLUS variants:

IMAP:

LDAP:

  • RFC5803: Lightweight Directory Access Protocol (LDAP) Schema for Storing Salted: Challenge Response Authentication Mechanism (SCRAM) Secrets: https://tools.ietf.org/html/rfc5803

HTTP:

2FA:

IANA:

Linked to:
@Neustradamus Neustradamus mentioned this issue Sep 7, 2019
Open
@cketti cketti added the type: enhancement New features or improvements to existing features. label Oct 12, 2019
@Neustradamus
Copy link
Author

Dear @k9mail team,

Happy New Year 2022!

Have you looked for SCRAM-SHA-* supports?

Thanks in advance.

@cketti
Copy link
Member

cketti commented Jan 8, 2022

Please don't spam the issue tracker. While this might be the single most important issue for you, it's certainly not for everyone.

When someone opens a pull request to implement this functionality, they will reference this issue and you'll be able to see it in the issue timeline. There's no need to ask for status reports.

@Neustradamus
Copy link
Author

@cketti: Thanks for your reply!

But it is a problem of SECURITY, currently it is unsecure to use K-9.

@cketti
Copy link
Member

cketti commented Jan 8, 2022

No, it's not. By default K-9 Mail uses transport encryption (SSL/TLS or STARTTLS). Using "normal password" authentication is fine when the transport channel is encrypted.

@Neustradamus
Copy link
Author

@cketti: I have added the last RFC in the description: RFC9051: Internet Message Access Protocol (IMAP) - Version 4rev2:

I wish you a good reading.

@Neustradamus
Copy link
Author

Dear @k9mail team, @thunderbird team,

I wish you a Happy New Year 2024!

Have you progressed on it?

It is linked to POP/IMAP/SMTP/JMAP for the security of all.
I recall, SCRAM is a standard since 2010.

Thanks in advance.

@Neustradamus Neustradamus mentioned this issue Jan 26, 2024
Closed
@Neustradamus
Copy link
Author

Dear @thunderbird team, @k9mail team, @cketti,

After the comment on the other ticket, have you progressed on this missing SECURITY support?
Have you looked the RFC9051 and others?

Note that the first RFC exists since 2010 (more 13 years and 6 months).

I can send an email to SECURITY team to explain the historical SECURITY problem.

Thanks in advance.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: enhancement New features or improvements to existing features.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Neustradamus @cketti