Bug #10765

Allow pinning certificates in Thunderbird

Added by sajolida about 4 years ago. Updated over 1 year ago.

Target version:
Start date:
Due date:
% Done:


Feature Branch:
Type of work:
Affected tool:
Email Client


While browsing the web, you might be presented with many different certificates every day but in the case of email, you basically always use the same certificates: the onces from your email provider. So trusting all CAs by default and allowing so many possible man-in-the-middle attacks is not really needed for usability.

We should have some mechanism to allow pinning certificates in Icedove instead of relying on the default certificate authorities.

This relates to which is unlikely to happen any time soon in TorBirdy.

Other people mentioned Certificate Patrol ( or Cert Viewer Plus (

The first thing would be to test these.


#1 Updated by u about 4 years ago

I've quickly tested the Certificate Patrol extension.

It allows for managing TLS certificates (deleting, distrusting them, importing own certs etc.)

The default options do not require small changes to certificates to be shown, but this option can be activated.

Those which have already been accepted once and stored permanently continue to be accepted.

#2 Updated by u about 4 years ago

  • Target version set to Tails_2.3

#3 Updated by u about 4 years ago

  • Target version changed from Tails_2.3 to Tails_2.2

#4 Updated by Dr_Whax about 4 years ago

Certificate patrol only works in Thunderbird when you open a webpage and doesn't provide me with any feedback about certificates for e-mail servers. Thus, rendering the extension useless.

I also looked at the plugin: "paranoia" it shows whether all paths had SSL encrypted communications but not with fingerprints or which certificate was used. Seems to have problems dealing with PGP e-mail.

#5 Updated by muri almost 4 years ago

  • Target version deleted (Tails_2.2)

removing target version as discussed in the monthly meeting, as it is a new feature (no bugfix, no regression, etc.) and noone present wants to dig into it at the moment

#6 Updated by Dr_Whax almost 4 years ago

  • Assignee set to Dr_Whax

I reported this bug a while ago to one of the developers but it seems the `certificate-patrol` plugin isn't really being maintained.

I tried to compile another tool from the same author( but so far, it hasn't compiled yet and I filled a bug with him personally.

I'm assigning the ticket to myself since I hope to get this working and see where we can go from there.

#7 Updated by Dr_Whax almost 4 years ago

I've spend a bunch of time trying to get libcertpatrol to LD_PRELOAD some applications and so far it hasn't worked out for me. I don't think there is going to be much work to get it supported.. I don't think there are a lot of alternatives left.

#8 Updated by u over 1 year ago

  • Subject changed from Allow pinning certificates in Icedove to Allow pinning certificates in Thunderbird

#9 Updated by u over 1 year ago

DrWhax: are you still planning to work on this? If not, please unassign yourself from this ticket.

#10 Updated by Dr_Whax over 1 year ago

  • Status changed from Confirmed to Rejected

In fact, i'm closing this ticket. I don't think there's much we can do for now.

#11 Updated by sajolida over 1 year ago

  • Assignee deleted (Dr_Whax)
  • Starter deleted (Yes)

Some smaller mail providers started offering onion services to their mail server ( does that and my email provider as well) and this is roughly equivalent to pinning their certificate.

Also available in: Atom PDF