Re: Thunderbird and end-to-end email encryption – should this be a priority?

Joshua Cranmer 🐧 pidgeot18 at gmail.com
Wed Aug 26 14:40:46 UTC 2015


On 8/26/2015 5:42 AM, Bron Gondwana wrote:
> Meanwhile, low hanging fruit... does Thunderbird ever send passwords 
> in plaintext over the wire without you doing an arcane dance in 
> about:config somewhere?

We give you big red security boxes if you try to config an account in 
this way, although later modification of account settings don't trigger 
these.
> Will it connect to servers with self-signed certificates without you 
> doing a similar dance?

Self-signed certificates are exactly as secure from a privacy 
perspective as no security at all, in the face of active attackers.

> Are you still embedding a giant complex browser engine from an 
> organisation which doesn't give a shit about making sure they aren't 
> breaking your tree or removing things that you depend on, and isn't 
> making security fixes for your branches a priority?

*THAT* is not low-hanging fruit.

-- 
Joshua Cranmer
Thunderbird and DXR developer
Source code archæologist




More information about the tb-planning mailing list