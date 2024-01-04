StartTLS | Absence
pigeonskiller
Unacceptable Absence of StartTLS in Vivaldi: A Persistent Shortcoming Three Years After the Bug was Reported
This is not a cross topic: its just my request in english following my previous topic at https://forum.vivaldi.net/topic/53524/account-su-alice-it-impossibile-da-configurare-protocollo-starttls-mancante-missing-starttls-protocol/16?_=1704385638946
Dear Vivaldi Developers, I am the one who opened this topic well over 3 years ago.
I come to you with growing concern about a fundamental and unacceptable gap in the management of email accounts within your browser: the lack of support for StartTLS. It is with a sense of frustration and disappointment that I express my dismay that this critical vulnerability has not yet been resolved, despite bug reports having been filed for over three years now.
StartTLS is a crucial component for ensuring secure email communications, protecting sensitive user data during transmission. Its implementation is a best practice in the cybersecurity industry and an essential feature for any email client. Its absence in Vivaldi constitutes a significant security flaw, putting user privacy and protection at risk.
Unresolved bug reports represent a clear failure in your efforts to provide a reliable and secure product. We cannot ignore the fact that the security of personal data and online communications is a top priority for modern users, and the lack of support for StartTLS is a serious flaw that goes beyond a mere lack of features.
I strongly urge you to dedicate the resources necessary to address this matter immediately. The delay in resolving such a critical issue calls into questioning your focus on security and your ability to respond to the needs of your users. User trust is fragile, and failure to act on this issue could have negative consequences for your brand and reputation.
I urgently ask you to consider this issue as a top priority and to inform the user community about concrete timelines for the implementation of StartTLS in the management of Vivaldi mail accounts. Security is not an option; it is a fundamental requirement. It is the developers' responsibility to ensure that Vivaldi maintains the highest standards of cybersecurity.
Please act promptly to address this security deficiency and demonstrate your commitment to data protection and user satisfaction.
In the hope that this problem will be resolved soon in the new year, I send you my best wishes.
mib2berlin
@pigeonskiller
Hi, this is a user forum, the Vivaldi developer don`t read here.
Do you have a bug number from the confirmation mail as you reported it to the Vivaldi bug tracker?
I can look for the status and maybe ask the developer what happen.
To my knowledge many mail provider disabled StartTLS because it is not secure but I am not an expert in this case.
Cheers, mib
pigeonskiller
@mib2berlin
Ok, thanks.
@mib2berlin Should be VB-75052.
mib2berlin
@pigeonskiller
Hi, I add a comment to the bug report @Hadden89 mention asked the developer about the status of StartTLS for Vivaldi.
Cheers, mib
Pesala Ambassador
@pigeonskiller I see that StartTSL is in the Mail configuration in settings.
@Pesala I also just realized that this setting exists for the outgoing server, but apparently not for the incoming server. I get handshake errors with the servers I have access to if I try to use the StartTLS ports alice.it requires (143 for incoming and 587 for outgoing)
@pigeonskiller Try to change the outgoing server setting to StartTLS as @Pesala pointed out above, and make sure you set the ports to 143 for the incoming server and 587 for the outgoing server.
Now, regarding your concern:
@pigeonskiller said in Unacceptable Absence of StartTLS in Vivaldi: A Persistent Shortcoming Three Years After the Bug was Reported:
Security is not an option; it is a fundamental requirement.
There sees to be a misunderstanding. Vivaldi supports SSL/TLS, and StartTLS is not working. Quote https://serverfault.com/a/895313
*With SSL/TLS, the client opens a TCP connection to the "SSL port" assigned to the application protocol it wants to use, and starts speaking TLS immediately.
With STARTTLS, the client opens a TCP connection to the "cleartext port" associated with the application protocol it wants to use, then asks the server "what protocol extensions do you support?". The server then responds with a list of extensions. If one of those extensions is "STARTTLS", the client can then say "okay, let's use TLS" and the two start speaking TLS.*
--> Vivaldi supports the secure version and has trouble with the less secure version. There is no security deficiency here, only the nuisance that Vivaldi does not properly support starting the communication with an unencrypted handshake, and apparently alice requires the unencrypted handshake to upgrade to SSL/TLS which Vivaldi requires.
-
edwardp Ambassador
@WildEnte said in Unacceptable Absence of StartTLS in Vivaldi: A Persistent Shortcoming Three Years After the Bug was Reported:
*With SSL/TLS, the client opens a TCP connection to the "SSL port" assigned to the application protocol it wants to use, and starts speaking TLS immediately.
With STARTTLS, the client opens a TCP connection to the "cleartext port" associated with the application protocol it wants to use, then asks the server "what protocol extensions do you support?". The server then responds with a list of extensions. If one of those extensions is "STARTTLS", the client can then say "okay, let's use TLS" and the two start speaking TLS.*
This information is correct. Note that SSL/TLS will not work on Port 143.
For those who would like the technical details, there is a new (August 2021) RFC, pertaining to IMAP. StartTLS is at section 11.2:
RFC 9051 - Internet Message Access Protocol (IMAP) - Version 4rev2