BugTraq
Mozilla Thunderbird SMTP down-negotiation weakness Oct 25 2005 11:06AM
Thomas Henlich (thomas henlich de) (1 replies)
Re: Mozilla Thunderbird SMTP down-negotiation weakness Oct 26 2005 09:35AM
Jason Haar (Jason Haar trimble co nz) (1 replies)
Re: Mozilla Thunderbird SMTP down-negotiation weakness Oct 26 2005 05:22PM
Tony Finch (dot dotat at) (1 replies)
Jason Haar <Jason.Haar (at) trimble.co (dot) nz [email concealed]> wrote:
>
>Thunderbird explicitly allows you "TLS, if available" - which appears to
>be what you refer to. However, there is a "TLS" - which means only do
>TLS - and alert if the TLS certificate presented doesn't match a known
>one (which would happen in a MITM).
>
>Are you referring to a bug in their "TLS" mode - or implying that "TLS,
>if available" is somehow not... what it says it is...???
>
>Doesn't sound like a hole to me.

The "TLS, if available" option is common to most MUAs and is a serious
security problem.

Thunderbird has other security-related user interface problems. For
example, the account setup wizard creates accounts with insecure
settings by default and then encourages users to log in immediately
and compromise their passwords.

http://www.livejournal.com/users/fanf/39428.html

Tony.
--
f.a.n.finch <dot (at) dotat (dot) at [email concealed]> http://dotat.at/
LOUGH FOYLE TO CARLINGFORD LOUGH: SOUTHWEST 4 OR 5 INCREASING 6 OR 7 FOR A
TIME WEATHER: SHOWERS DYING OUT, RAIN LATER VISIBILITY: MODERATE OR GOOD.
MODERATE, BECOMING ROUGH IN NORTH

[ reply ]
Re: Mozilla Thunderbird SMTP down-negotiation weakness Oct 26 2005 09:09PM
Bob Beck (beck bofh cns ualberta ca) (1 replies)
Re: Mozilla Thunderbird SMTP down-negotiation weakness Oct 26 2005 09:32PM
Jason Haar (Jason Haar trimble co nz)


 

Privacy Statement
Copyright 2010, SecurityFocus