Details
-
Suggestion
-
Resolution: Won't Fix
-
None
Description
Problem Definition
Companies may have sensitive information in their JIRA site that watchers or request participants of an issue will receive via email when there is a change done on the issue. This is fine if the recipient server supports TLS because the on-demand cloud e-mail senders now support TLS, but this is a negotiated protocol, and if a non-TLS e-mail recipient is watching a JIRA issue the confidential content will be broadcast over the internet in a non-secure fashion.
Suggested Solution
The ability to change the outbound e-mail feature from "request" to "require" TLS on a project-by-project or issue-by-issue basis such that sensitive information can still be accessed by an individual with an e-mail pointing to a mail host that does not support TLS (which is a relatively small proportion of the internet population these days), but if that individual watches an issue, they will not receive the notification because the e-mail sending action will "require" the receiving mail exchange to support TLS. Since TLS is not supported, the mail sending action will then fail, and not broadcast the content un-encrypted.