Fwd: Intent to unship: TLS 1.0 and TLS 1.1

Michael Peddemors michael at linuxmagic.com
Tue Sep 17 21:38:25 UTC 2019


On 2019-09-17 5:12 a.m., Kai Engert wrote:
> On 13.09.19 22:01, Rob Lemley wrote:
>> I was able to pull some info from Censys:
> 
> Thanks Rob, that's very helpful information.
> 
> How about we show a notification bar when reading email from an
> IMAP/POP3 server, that doesn't support TLS 1.2?
> 
> Maybe once per session per server: "The server you're accessing doesn't
> support modern transport security: $hostname"
> 
> Same could be done after sending an email, in the main mail window, once
> per session per server: "Your email was sent through a gateway that
> doesn't support modern transport security: $hostname"
> 
> That would raise awareness, and make it easier to disable by default in
> a future version.
> 
> Thoughts about this idea?
> 
> Because that requires UI and strings, I'm not sure if this could be done
> in a Thunderbird 68.x point release.
> 
> If Thunderbird summer 2020 is the first version that displays such
> warnings, we'd probably have to postpone disabling by default to a later
> time.
> 
> Kai

Happened to have a few minutes, thought I would comment on this.
I think TB should take the higher road..

Putting up too many warnings can just annoy people, and the uneducated 
might simply turn to a different email client..

I would say put up the case scenarios, on how the user would/should be 
informed..

Not that ISP's will like it, but they should be upgrading, or they are 
performing a disservice for their customers.. however, it is not trivial 
for a Man in the Middle attack to decrypt a message with weaker 
encryption..

And Thunderbird doesn't currently warn users if they are using POP 
without TLS, a much bigger threat to security.

I think this might be better served with a simple awareness campaign.
Or maybe an option to 'test' your accounts for recommended security 
settings..

An idea.. I think that a simple 'red' icon that a user could click, 
which informs them of the importance of using secure email settings, 
that gives them an option to 'test' all their current account settings.. 
which can turn the icon green after testing.

But I might suggest that a little more changes are needed in the new 
service setup tools, and auto discovery..

But, in the end, if someone wants to use Thunderbird to connect to an 
insecure service, I think you are going to have to let them, as long as 
it is an informed decision, eg account setup..

"The service you are attempting to connect doesn't support industry 
standard encryption (SSL/TLS), are you sure you wish to continue? 
Sending passwords and emails over insecure networks may be a risk to 
your private information".

Of course this needs to happen BEFORE presenting the username/password 
to the service.  (Imagine DNS Hijacking at the router, redirecting to 
another location).

Of course, this indicates that at EVERY imap/smtp or other service 
connection, a more 'general' check should be made.. maybe a config 
option, 'Warn me before connecting to an insecure service' where even 
more strict SSL checks can be made, besides versions.. service host name 
does not match SSL cert name.

What about those who use encrypted tunnels, but the service isn't using 
TLS, those environments still do exist, albeit rare.

I think this might need a more prolonged discussion..

The idea of deprecating support is good.. and a time line, but a rethink 
on how Thunderbird informs end users and promotes the use of more secure 
methods should be looked at as part of the larger picture..

Does this make sense?

> _______________________________________________
> tb-planning mailing list
> tb-planning at mozilla.org
> https://mail.mozilla.org/listinfo/tb-planning
> 



-- 
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.


More information about the tb-planning mailing list