Project

General

Profile

Bug #15788

Feature #6156: Upstream secure Thunderbird autoconfig wizard

Rethink our patches with Thunderbird 60

Added by CyrilBrulebois about 1 year ago. Updated 11 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Start date:
08/14/2018
Due date:
% Done:

100%

Feature Branch:
Type of work:
Research
Blueprint:
Starter:
Affected tool:
Email Client

Description

TB 60 comes with improvements related to protocols vs. security.

See screenshots when trying to validate a configuration with a cleartext SMTP server as discovered by the config wizard.

It seems it might be time to re-evaluate the Tails-specific patches.

autoconf1.png View - Config wizard results (65.4 KB) CyrilBrulebois, 08/14/2018 07:50 PM

autoconf2.png View - Big red warning (69.4 KB) CyrilBrulebois, 08/14/2018 07:50 PM


Related issues

Related to Tails - Bug #15387: The Mozilla auto_config database requires an unusable CAPTCHA for Torified requests Rejected 03/07/2018
Related to Tails - Bug #12203: Thunderbird account setup wizard fails with "Programming bug. Assertion failed, see log." when using Manual config Confirmed 01/31/2017

History

#1 Updated by intrigeri about 1 year ago

  • Status changed from New to Confirmed
  • Target version changed from Tails_3.9 to Tails_3.11
  • Affected tool set to Email Client

#2 Updated by intrigeri about 1 year ago

  • Parent task set to #6156

#3 Updated by intrigeri about 1 year ago

Next steps:

  1. test this with a pristine Thunderbird (without our #6156 patches)
  2. confirm the warning appears there as well
  3. assess the marginal benefit of our patches compared to what pristine Thunderbird already does

#4 Updated by u about 1 year ago

  • Related to Bug #15387: The Mozilla auto_config database requires an unusable CAPTCHA for Torified requests added

#5 Updated by u about 1 year ago

  • Related to Bug #12203: Thunderbird account setup wizard fails with "Programming bug. Assertion failed, see log." when using Manual config added

#6 Updated by intrigeri about 1 year ago

  • Assignee changed from intrigeri to lamby
  • Target version changed from Tails_3.11 to 2019

(As part of #6156.)

#7 Updated by lamby about 1 year ago

  • Assignee changed from lamby to intrigeri

Similar to #15790, did we discuss this? I don't recall doing so, thus just wondering if it's a mistake to assign it over to me specifically? And, again, if it's "to be discussed" feel free to assign back - I note the "2019" target.

#8 Updated by intrigeri about 1 year ago

  • Assignee changed from intrigeri to lamby

(Yes, to be discussed, like the parent ticket :)

#9 Updated by anonym 11 months ago

  • Status changed from Confirmed to Resolved
  • Assignee deleted (lamby)
  • Target version changed from 2019 to Tails_3.11
  • % Done changed from 0 to 100
  • QA Check set to Pass

CyrilBrulebois wrote:

It seems it might be time to re-evaluate the Tails-specific patches.

Me and Ulrike already did: given the warning page we removed the "Secure protocols only" checkbox (but preserved it as a hidden pref for Tails and/or Torbirdy, although whether we want to is a pending discussion).

Note that Thunderbird only has solved one half of the protocol security problems: it warns when insecure protocols end up in the final configuration the user picks. But it will still do a insecure HTTP fetch from the mail provider before anything else that could be MitM:ed and present the user a SSL-enabled configuration (so no warninig) that points to evil.org instead of what the user wants. Our patches still fixes that, and many other things (proxy support for guessing, Tor-friendly (= higher) timeouts, disable OAth2, ...).

Any way, I think this ticket is resolved. Please reopen if you think I'm mistaken!

Also available in: Atom PDF