[Reportbug-maint] Bug#639698: reportbug: STARTTLS failure - continue without TLS
Gabriel Filion
gabster at lelutin.ca
Wed Apr 8 20:13:37 UTC 2015
That sounds like a terrible idea.. unless you meant to make reportbug
try STARTTLS in that case and then fail if this doesn't work.
But if the user asked for an encrypted communication, the app should not
fall back to sending it in clear text. That's the basis of all the
nastiness of downgrade attacks that could happen with STARTTLS and other
protocols that permit this kind of fallback.
The best option here should be to have a clear error message of what
didn't work.
--
Gabriel Filion
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/reportbug-maint/attachments/20150408/68da5b49/attachment.sig>
More information about the Reportbug-maint
mailing list