On Tue, Sep 22, 2015 at 1:47 AM, Brian Smith <[email protected]> wrote:
> * Mozilla's S/MIME processing isn't well supported. Large parts of it are > out of date and the people who maintain the certificate validation logic > aren't required to keeping S/MIME stuff working. In particular, it is OK > according to current development policies for us to change Gecko's > certificate validation logic so that it works for SSL but doesn't > (completely) work for S/MIME. So, basically, Mozilla doesn't implement > software that can properly use S/MIME certificates, as far as we know. > Here is a good example to show that the security of Thunderbird's S/MIME handling is not properly managed: https://bugzilla.mozilla.org/show_bug.cgi?id=1178032 The bug report is that email that the user tried to encrypt was sent unencrypted. The bug was filed months ago, but hasn't been triaged so that it is marked as a serious security issue, and the validity of the bug report hasn't been investigated by anybody. Cheers, Brian -- https://briansmith.org/ _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
