On Sun, Apr 10, 2016 at 9:22 AM, Elmar Stellnberger <[email protected]> wrote: > Is anyone here who can explain the insecurity of SSL/TLS in its current > state?
TLS properly implemented is secure. The insecure VPN (as you so describe it) may have been stripping out the offer of STARTTLS by the IMAP server. This is pretty trivial to do when you control all of the data flowing through the VPN [1]. This has actually been done by some ISPs in the past [2]. Although the RFC for STARTTLS indicates that clients should fallback if TLS is not available [3], last time I checked if you have STARTTLS specified in the server settings in Thunderbird, it should not be establishing a connection if it is unable to do so over TLS. What are the server settings you are using for IMAP? Was it a successful login or an attempted login? Did you accept any certificate warnings? [1] https://github.com/tintinweb/striptls [2] https://www.eff.org/deeplinks/2014/11/starttls-downgrade-attacks [3] https://tools.ietf.org/html/rfc2595 Brandon Vincent
