What steps will reproduce the problem?
1. Start wireshark with apprioriate filters to reduce entries
2. Refresh Google contacts resource in KAddressbook
What is the expected output? What do you see instead?
I would expect that all traffic goes over an encrypted HTTPS channel. Instead,
I see that contacts are transferred over plain HTTP with all an authentication
token in it.
What version of the product are you using? On what operating system?
I am using 0.9.6 on Arch Linux (https://aur.archlinux.org/packages.php?ID=24286)
Please provide any additional information below.
I also checked with openssl' s_server whether the implementation was vulnerable
to a MITM attack. Luckily, this was not the case: it simply aborts the
connection setup. I did not receive any feedback however in KAddressbook,
though I saw an "invalid password" message in akonadiconsole.
The attached patch is tested and did not cause regressions in the contacts
retrieval functionality.
Original issue reported on code.google.com by
lekenst...@gmail.comon 23 Jun 2012 at 9:12Attachments: