Re: Thunderbird security
> Security is always a tradeoff with usability; ... +; Sincerely, Linux fan Byung-Hee -- ^고맙습니다 _和合團結_ 감사합니다_^))//
Re: Thunderbird security
On 26.03.2022 13:50, André Rodier wrote: Hi all, I would like to collect, from this thread, your experience and opinion about Mozilla Thunderbird, in term of security. I am registered on The Debian security list, and I see a lot of CVE coming, some of them with a high score, mentioning execution of arbitrary code or information disclosure. Most of them seems pretty severe to me, and I am now running Thunderbird in firejail. However, I wonder if such vulnerability would allow a remote attacker to send an email, and get, for instance, the credentials stored in Thunderbird, with or without master password. This seem habitual to me, compared to other mail clients in Debian, like evolution / claws, etc... In term of security, Which email clients, or which practices, you would recommend to me ? Thanks for your understanding and advice, but please, I don't want to start a troll. I've used Thunderbird for many years on different platforms. It is my favorite mail client and I've never had any major or security problems with it. When it comes to security, it is a good thing to have a healthy dose of paranoia and monitor most recent known threats and vulnerabilities, however the actual exploitation of them is usually quite difficult if not impossible, especially if you keep your software up-to-date. When I search for CVEs for a current version of Thunderbird: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Thunderbird+91 I don't see any results that could affect 91 version. All of them are for older ( < 91 ) versions of Thunderbird. There is always a possibility of some 0-day vulnerability in any software, so if you being smart and exercise some precaution procedures you still could be fine. There are many ways, ex.: You can disable JavaScript in Thunderbird altogether using "about:config" page. Never open any URLs inside Thunderbird and copy-paste and edit them instead, because many of them crafted for purpose of tracking. Don't open any attachments right away, but save them to disk and inspect them instead, especially if they come from unknown sources. Also, any exploit that could be received by mail has to pass through many filters and AV scanners before it will be delivered, so it makes exploitation of known vulnerabilities even more difficult for the badguys. Protecting you credentials with Master Password is a good way to protect your data if credential db files were somehow stolen by data-miner class malware, completely unrelated to Thunderbird. Best antivirus is your head and healthy work habits. -- With kindest regards, Alexander. ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system ⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org ⠈⠳⣄
Re: Thunderbird security
On 2022-03-26 at 07:20, Dan Ritter wrote: > André Rodier wrote: > >> I would like to collect, from this thread, your experience and opinion about >> Mozilla Thunderbird, in term of security. > > Security is always a tradeoff with usability; Thunderbird is so > heavily skewed towards usability, it has a whole web browser in > it. And it's *still* better in that respect than, say, Outlook. Or essentially any modern Web-based E-mail interface. >> In term of security, Which email clients, or which practices, you would >> recommend to me ? > > The number one recommendation would be a mail client that cannot > execute JavaScript or show you pictures directly. Fixing that > solves many user security issues. To be fair, Thunderbird in "display messages as plain text" mode serves adequately well in that regard. (Though there are unfortunately-many messages where it won't display them in any usable form - but a lot of those seem to be more the fault of poor structuring of the mail on the part of the sender, and Outlook tends to handle such messages even worse.) -- The Wanderer The reasonable man adapts himself to the world; the unreasonable one persists in trying to adapt the world to himself. Therefore all progress depends on the unreasonable man. -- George Bernard Shaw signature.asc Description: OpenPGP digital signature
Re: Thunderbird security
André Rodier wrote: > I would like to collect, from this thread, your experience and opinion about > Mozilla Thunderbird, in term of security. Security is always a tradeoff with usability; Thunderbird is so heavily skewed towards usability, it has a whole web browser in it. > In term of security, Which email clients, or which practices, you would > recommend to me ? The number one recommendation would be a mail client that cannot execute JavaScript or show you pictures directly. Fixing that solves many user security issues. -dsr-
Re: Thunderbird security
On 26/03/2022 05:50, André Rodier wrote: I would like to collect, from this thread, your experience and opinion about Mozilla Thunderbird, in term of security. I am registered on The Debian security list, and I see a lot of CVE coming, some of them with a high score, mentioning execution of arbitrary code or information disclosure. Most of them seems pretty severe to me, and I am now running Thunderbird in firejail. However, I wonder if such vulnerability would allow a remote attacker to send an email, and get, for instance, the credentials stored in Thunderbird, with or without master password. This seem habitual to me, compared to other mail clients in Debian, like evolution / claws, etc... In term of security, Which email clients, or which practices, you would recommend to me ? If you search the CVE numbers[0], you should be able to find information about the vulnerabilities[1], describing the conditions necessary for it to be exploited and the possible consequences. You can then judge if they might affect you (some vulnerabilities can only be exploited in particular circunstances, which might not apply to your case) and evaluate the risk. But, overall, the fact the vulnerabilities are being found and fixed is a good sign: it means that the code is being looked at and problems are being solved. The fact that the details have not been released yet suggests that those were found by someone well-intentioned, and not because they were being exploited in the wild, but on the other hand also suggests the risk is high enough that it's better to withhold that information until people have had a chance to upgrade to a fixed version. [0] The announcements on debian-security-announce could be improved by having a link to the CVE database. But for now, you'll have to search them manually. [1] Eventually... The last CVEs for Thunderbird are still in the "reserved" state. I believe this is meant to give some time for distributions to update the software before the details about how to exploit the vulnerability are disclosed. -- Insomnia isn't anything to lose sleep over. Eduardo M KALINOWSKI edua...@kalinowski.com.br
Thunderbird security
Hi all, I would like to collect, from this thread, your experience and opinion about Mozilla Thunderbird, in term of security. I am registered on The Debian security list, and I see a lot of CVE coming, some of them with a high score, mentioning execution of arbitrary code or information disclosure. Most of them seems pretty severe to me, and I am now running Thunderbird in firejail. However, I wonder if such vulnerability would allow a remote attacker to send an email, and get, for instance, the credentials stored in Thunderbird, with or without master password. This seem habitual to me, compared to other mail clients in Debian, like evolution / claws, etc... In term of security, Which email clients, or which practices, you would recommend to me ? Thanks for your understanding and advice, but please, I don't want to start a troll. -- 퓐퓡 - 퐴푛푑푟푒 푅표푑푖푒푟
Thunderbird security
Hi all, I would like to collect, from this thread, your experience and opinion about Mozilla Thunderbird, in term of security. I am registered on The Debian security list, and I see a lot of CVE coming, some of them with a high score, mentioning execution of arbitrary code or information disclosure. Most of them seems pretty severe to me, and I am now running Thunderbird in firejail. However, I wonder if such vulnerability would allow a remote attacker to send an email, and get, for instance, the credentials stored in Thunderbird, with or without master password. This seem habitual to me, compared to other mail clients in Debian, like evolution / claws, etc... In term of security, Which email clients, or which practices, you would recommend to me ? Thanks for your understanding and advice, but please, I don't want to start a troll. -- 퓐퓡 - 퐴푛푑푟푒 푅표푑푖푒푟