Thunderbird 2.0.0.14 and SSL certificates

Thunderbird 2.0.0.14 was recently released to the world: yet another security release for Thunderbird. Yay, and thanks to all involved! All was well, until news came in through a bug report that one of those included updates is problematic for some users.

Specifically, as part of making Firefox 2.0.0.14, we made a change in how the underlying platform handles SSL certificates. That change was made to increase the privacy of people visiting certain web pages, as documented in this advisory.

The problem is that the switch (asking users to confirm that they want to identify themselves with a certificate) makes sense for web pages, but it doesn’t make sense as implemented for email transactions. There’s a lot more detail in the relevant bug.

Luckily, this problem likely doesn’t affect the vast majority of Thunderbird users. It only affects users who are issued a certificate to secure the communication with the mail server, rather than relying on passwords. With the 2.0.0.14 release, those users end up being asked to confirm the use of the certificate on every connection, which gets to be annoying.

Most of the users affected are likely in large organizations, as they are the ones who tend to issue their own certificates. Luckily, those organizations also often do their own QA before a deployment, so in all likelihood few people will be exposed to the bug.

Getting a fixed Thunderbird 2.0.0.15 out is planned, but we’re trying to figure out how to prioritize this release relative to the other releases.

In the meantime, there is a simple workaround that can be applied per user (revert a preference setting), or, for those deployments using autoconfig, by tweaking the central configuration file.

We could also release a XPI add-on to fix the preference, but that may or many not be easier — feedback welcome.

I’d love to hear from administrators of large Thunderbird installations in particular, as this bug highlighted for me several of the challenges we have in making sure that our processes are aligned with those of large deployments.

I’m also thinking that we need to setup better communication channels with people deploying large installations of Thunderbird (email lists, different blogs, etc.). If you’re involved in large-scale deployments of Thunderbird, email me and let me know your thoughts.

5 Comments

  1. Why do you think that larger organizations issue self-signed certificates for their mail servers? I can tell you otherwise…However this bug doesn’t affect self-signed certs only, but all certificates with connections to SMTP, IMAP, POP3, LDAP etc…

    Most sane admins deploy TLS for mail server these days and it’s usually suggested for client over sending their passwords in plain text. Therefore this bug is a priority. Bug is fixed: Release, release, release!

    Like

  2. Eddy: I think you’ve misunderstood the bug, or maybe David’s description. It is not about sites merely using a single server certificate to “secure the communication with the mail server”, this annoyance arises when the site also uses _client_ certificates to identify users (rather that have them log in with passwords).

    Self-signed certs have nothing to do with this issue. Perhaps you’re confusing this with the yet-to-be-resolved UI issue in early “Thunderbird 3” alphas (which has yet to adapt to the Firefox 3 self-signed certificate handling changes).

    Like

  3. Sorry for being late, besides that a solution is being worked on already by Kai. However I referred to this statement:

    Most of the users affected are likely in large organizations, as they are the ones who tend to issue their own certificates. Luckily, those organizations also often do their own QA before a deployment, so in all likelihood few people will be exposed to the bug.

    Now, at the StartCom CA one of the most popular usage of the free certificates we provide is for mail servers of all kinds which covers usually all mail protocols, RPC and also web mail. Those certificates makes up a large portion of our overall issuance.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s