Re: Mozilla Thunderbird SMTP down-negotiation weakness
From: Tony Finch (dot_at_dotat.at)
To: Jason.Haar@trimble.co.nz Date: Wed, 26 Oct 2005 18:22:06 +0100
Jason Haar <Jason.Haar@trimble.co.nz> wrote:
>Thunderbird explicitly allows you "TLS, if available" - which appears to
>be what you refer to. However, there is a "TLS" - which means only do
>TLS - and alert if the TLS certificate presented doesn't match a known
>one (which would happen in a MITM).
>Are you referring to a bug in their "TLS" mode - or implying that "TLS,
>if available" is somehow not... what it says it is...???
>Doesn't sound like a hole to me.
The "TLS, if available" option is common to most MUAs and is a serious
Thunderbird has other security-related user interface problems. For
example, the account setup wizard creates accounts with insecure
settings by default and then encourages users to log in immediately
and compromise their passwords.
-- f.a.n.finch <firstname.lastname@example.org> http://dotat.at/ LOUGH FOYLE TO CARLINGFORD LOUGH: SOUTHWEST 4 OR 5 INCREASING 6 OR 7 FOR A TIME WEATHER: SHOWERS DYING OUT, RAIN LATER VISIBILITY: MODERATE OR GOOD. MODERATE, BECOMING ROUGH IN NORTH