Re: Mozilla Thunderbird SMTP down-negotiation weakness

From: Tony Finch (dot_at_dotat.at)
Date: 10/26/05

  • Next message: Andrey Bayora: "Update for the magic byte bug" 
    To: Jason.Haar@trimble.co.nz
Date: Wed, 26 Oct 2005 18:22:06 +0100

    Jason Haar <Jason.Haar@trimble.co.nz> wrote:
    >
    >Thunderbird explicitly allows you "TLS, if available" - which appears to
    >be what you refer to. However, there is a "TLS" - which means only do
    >TLS - and alert if the TLS certificate presented doesn't match a known
    >one (which would happen in a MITM).
    >
    >Are you referring to a bug in their "TLS" mode - or implying that "TLS,
    >if available" is somehow not... what it says it is...???
    >
    >Doesn't sound like a hole to me.

    The "TLS, if available" option is common to most MUAs and is a serious
    security problem.

    Thunderbird has other security-related user interface problems. For
    example, the account setup wizard creates accounts with insecure
    settings by default and then encourages users to log in immediately
    and compromise their passwords.

    http://www.livejournal.com/users/fanf/39428.html

    Tony. 

    -- 
f.a.n.finch  <dot@dotat.at>  http://dotat.at/
LOUGH FOYLE TO CARLINGFORD LOUGH: SOUTHWEST 4 OR 5 INCREASING 6 OR 7 FOR A
TIME WEATHER: SHOWERS DYING OUT, RAIN LATER VISIBILITY: MODERATE OR GOOD.
MODERATE, BECOMING ROUGH IN NORTH
  • Next message: Andrey Bayora: "Update for the magic byte bug"