Fwd: Intent to unship: TLS 1.0 and TLS 1.1
michael at linuxmagic.com
Tue Sep 17 21:38:25 UTC 2019
On 2019-09-17 5:12 a.m., Kai Engert wrote:
> On 13.09.19 22:01, Rob Lemley wrote:
>> I was able to pull some info from Censys:
> Thanks Rob, that's very helpful information.
> How about we show a notification bar when reading email from an
> IMAP/POP3 server, that doesn't support TLS 1.2?
> Maybe once per session per server: "The server you're accessing doesn't
> support modern transport security: $hostname"
> Same could be done after sending an email, in the main mail window, once
> per session per server: "Your email was sent through a gateway that
> doesn't support modern transport security: $hostname"
> That would raise awareness, and make it easier to disable by default in
> a future version.
> Thoughts about this idea?
> Because that requires UI and strings, I'm not sure if this could be done
> in a Thunderbird 68.x point release.
> If Thunderbird summer 2020 is the first version that displays such
> warnings, we'd probably have to postpone disabling by default to a later
Happened to have a few minutes, thought I would comment on this.
I think TB should take the higher road..
Putting up too many warnings can just annoy people, and the uneducated
might simply turn to a different email client..
I would say put up the case scenarios, on how the user would/should be
Not that ISP's will like it, but they should be upgrading, or they are
performing a disservice for their customers.. however, it is not trivial
for a Man in the Middle attack to decrypt a message with weaker
And Thunderbird doesn't currently warn users if they are using POP
without TLS, a much bigger threat to security.
I think this might be better served with a simple awareness campaign.
Or maybe an option to 'test' your accounts for recommended security
An idea.. I think that a simple 'red' icon that a user could click,
which informs them of the importance of using secure email settings,
that gives them an option to 'test' all their current account settings..
which can turn the icon green after testing.
But I might suggest that a little more changes are needed in the new
service setup tools, and auto discovery..
But, in the end, if someone wants to use Thunderbird to connect to an
insecure service, I think you are going to have to let them, as long as
it is an informed decision, eg account setup..
"The service you are attempting to connect doesn't support industry
standard encryption (SSL/TLS), are you sure you wish to continue?
Sending passwords and emails over insecure networks may be a risk to
your private information".
Of course this needs to happen BEFORE presenting the username/password
to the service. (Imagine DNS Hijacking at the router, redirecting to
Of course, this indicates that at EVERY imap/smtp or other service
connection, a more 'general' check should be made.. maybe a config
option, 'Warn me before connecting to an insecure service' where even
more strict SSL checks can be made, besides versions.. service host name
does not match SSL cert name.
What about those who use encrypted tunnels, but the service isn't using
TLS, those environments still do exist, albeit rare.
I think this might need a more prolonged discussion..
The idea of deprecating support is good.. and a time line, but a rethink
on how Thunderbird informs end users and promotes the use of more secure
methods should be looked at as part of the larger picture..
Does this make sense?
> tb-planning mailing list
> tb-planning at mozilla.org
"Catch the Magic of Linux..."
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.
More information about the tb-planning