Allow pinning certificates in Thunderbird
While browsing the web, you might be presented with many different certificates every day but in the case of email, you basically always use the same certificates: the onces from your email provider. So trusting all CAs by default and allowing so many possible man-in-the-middle attacks is not really needed for usability.
We should have some mechanism to allow pinning certificates in Icedove instead of relying on the default certificate authorities.
This relates to https://trac.torproject.org/projects/tor/ticket/13607 which is unlikely to happen any time soon in TorBirdy.
Other people mentioned Certificate Patrol (https://addons.mozilla.org/en-US/firefox/addon/certificate-patrol/) or Cert Viewer Plus (https://addons.mozilla.org/en-US/firefox/addon/cert-viewer-plus/?src=search)
The first thing would be to test these.
#1 Updated by u about 4 years ago
I've quickly tested the Certificate Patrol extension.
It allows for managing TLS certificates (deleting, distrusting them, importing own certs etc.)
The default options do not require small changes to certificates to be shown, but this option can be activated.
Those which have already been accepted once and stored permanently continue to be accepted.
#4 Updated by Dr_Whax about 4 years ago
Certificate patrol only works in Thunderbird when you open a webpage and doesn't provide me with any feedback about certificates for e-mail servers. Thus, rendering the extension useless.
I also looked at the plugin: "paranoia" it shows whether all paths had SSL encrypted communications but not with fingerprints or which certificate was used. Seems to have problems dealing with PGP e-mail.
#6 Updated by Dr_Whax almost 4 years ago
- Assignee set to Dr_Whax
I reported this bug a while ago to one of the developers but it seems the `certificate-patrol` plugin isn't really being maintained.
I tried to compile another tool from the same author(https://github.com/tg-x/libcertpatrol) but so far, it hasn't compiled yet and I filled a bug with him personally.
I'm assigning the ticket to myself since I hope to get this working and see where we can go from there.