From cce6e3905c62ae2ffbddbea4d8ff4ed4fd253329 Mon Sep 17 00:00:00 2001 From: Matthias Andree Date: Thu, 16 Jul 2009 19:50:12 +0000 Subject: TODO: sslfingerprint and thereabouts. svn path=/branches/BRANCH_6-3/; revision=5388 --- NEWS | 2 ++ TODO.txt | 4 ++++ 2 files changed, 6 insertions(+) diff --git a/NEWS b/NEWS index a1e2ae1c..edab25a3 100644 --- a/NEWS +++ b/NEWS @@ -21,6 +21,8 @@ removed from a 6.4.0 or newer release.) * POP2 is obsolete, support will be removed from a future fetchmail version. * RPOP is obsolete, support will be removed from a future fetchmail release. * --sslcertck will become a default setting in a future fetchmail version. +* --sslfingerprint may be removed from a future fetchmail version, because it's + just too easily abused to create a false sense of security. * The multidrop To/Cc guessing code along with the fragile duplicate suppressor is deprecated and may be removed from a future release. * The "envelope Received" option may be removed from a future release, because diff --git a/TODO.txt b/TODO.txt index a6186a1f..97305e01 100644 --- a/TODO.txt +++ b/TODO.txt @@ -90,6 +90,10 @@ questionable: - CRYPTO: perhaps port to NSS? Check license and features and required procedure changes. - Redhat Bugs #333741 (crypto consolidation), #346891 (port fetchmail to NSS) - CRYPTO: make the SSL default v3 (rather than v23). +- CRYPTO: remove sslfingerprint? too easily abused (see NEWS) +- CRYPTO: force sslcertck +- CRYPTO: by default forbid cleartext or other compromising password + schemes over insecure connections? - put more hints to the FAQ (should we call it FGA?) as first support place - make sure we print socket error messages such as connection reset by peer to hint users the problem is not in fetchmail -- cgit v1.2.3