Open Bug 962763 Opened 10 years ago Updated 2 years ago

Security flaw: Thunderbird suggests user drop STARTTLS when SMTP connection is hijacked

Categories

(MailNews Core :: Security, defect)

Product:
MailNews Core
Component:
Security
Platform:
x86
Windows XP
Type:
defect

Tracking

(Not tracked)

People

(Reporter: silverlark, Unassigned)

Details

(Keywords: sec-want) 

User Agent: Mozilla/5.0 (Windows NT 5.1; rv:26.0) Gecko/20100101 Firefox/26.0 (Beta/Release)
Build ID: 20131205075310

Steps to reproduce:

For some reason my outgoing SMTP connection sometimes gets hijacked - I've tested it with telnet: when I try to connect to my SMTP server at port 25 I get 220 SMTP response from an unknown server. In such cases Thunderbird behaves in a hazardous way. My server advertises STARTTLS upon EHLO. The hijacking server doesn't.


Actual results:

Thunderbird shows a message box that says: "Unable to establish a secure link with SMTP server ... using STARTTLS since it doesn't advertise that feature. Switch STARTTLS off for that server or contact your service provider." But switching STARTTLS off would reveal user's password to the intruder.


Expected results:

The message should say "Unable to establish a secure link with SMTP server ... using STARTTLS since it doesn't advertise that feature. That couold mean that your connection has been intercepted by an intruder. If you know what's going on, you may try switching STARTTLS off for that server; otherwise, contact your service provider."
Component: Untriaged → Security
Flags: needinfo?(mbanner)
silverlark: Presumably Thunderbird doesn't actually connect to the insecure server?

If so, I think this is not a security issue, just bad/unclear advice, and we could do better on that message.

The message is here in the code: http://hg.mozilla.org/comm-central/annotate/b57fc63e6aba/mail/locales/en-US/chrome/messenger/messengercompose/composeMsgs.properties#l176

So I think we could tidy that up a bit.
Flags: needinfo?(mbanner) → needinfo?(silverlark)
Thunderbird does connect to the hijacking server, otherwise it would not know that it doesn't advertise STARTTLS as expected. But that's understandable since Thunderbird can't check which server it's connected to with plain SMTP. What is important is that it should properly warn the user (like Firefox does, for example).

So yes, the message should be fixed.
Flags: needinfo?(silverlark)
Group: core-security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: sec-want
Product: Thunderbird → MailNews Core
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.