Why we need Gecko updates (was: Future Planning: Thunderbird as a Web App)

Ben Bucksch ben.bucksch at beonex.com
Wed Dec 9 00:40:09 UTC 2015


Gervase Markham wrote on 18.09.2015 15:32:
> To put it another way: "what would we have lost if we had forked m-c two
> years ago"?

Hey Gerv,

That's simple to answer: Security patches.

As you know from being at the Mozilla Security Group and the public 
advisories, the Gecko rendering and JS engine has security holes fairly 
regularly. Every month (or every few months), there's a critical 
security hole, whereby "critical" means that any random ad published via 
an ad server on a website you visit can read all your files on your 
computer, install random malware, impersonate as you, and generally can 
do whatever you can do on your own computer.

In Thunderbird, the risk is even larger than in Firefox. In Firefox, you 
need to actively go to a website, and that website needs to attack you 
(possibly via an ad server). We still assume that an attacker will 
manage to get you to his website somehow, and we consider such a 
critical bug the end of the computing world. In Thunderbird, the 
attacker has it even easier: He just needs to send you an HTML email. 
You view it, and you're done. Dead.

The default in Thunderbird is the HTML viewer.

Mitigation:
* JS is disabled by default
* "View | Message body as | Simple HTML", which tries to prevent most 
security holes with HTML.
Neither is bullet-proof and some classes of bugs, e.g. in the parser, or 
image decoders or - worse - in the complex native video codecs, are 
still going to hit you with their full force.

Unfortunately, Mozilla gave up on supporting old Gecko versions with 
security patches. Time's over once the ESR release is unsupported, which 
is currently 6-8 months. Anything else was considered not feasible for 
Firefox security team. There's no chance that the Thunderbird team can 
keep up.

So, as much as I'd like that personally, forking Gecko is not an option.

(These dreaded security holes and the lack of patches have crossed many 
plans, in many different areas and products and companies.)



More information about the tb-planning mailing list