| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <E1EUoyU-0008Ia-00@chiark.greenend.org.uk> Date: Wed, 26 Oct 2005 18:22:06 +0100 From: Tony Finch <dot@...at.at> To: Jason.Haar@...mble.co.nz Cc: bugtraq@...urityfocus.com Subject: Re: Mozilla Thunderbird SMTP down-negotiation weakness Jason Haar <Jason.Haar@...mble.co.nz> wrote: > >Thunderbird explicitly allows you "TLS, if available" - which appears to >be what you refer to. However, there is a "TLS" - which means only do >TLS - and alert if the TLS certificate presented doesn't match a known >one (which would happen in a MITM). > >Are you referring to a bug in their "TLS" mode - or implying that "TLS, >if available" is somehow not... what it says it is...??? > >Doesn't sound like a hole to me. The "TLS, if available" option is common to most MUAs and is a serious security problem. Thunderbird has other security-related user interface problems. For example, the account setup wizard creates accounts with insecure settings by default and then encourages users to log in immediately and compromise their passwords. http://www.livejournal.com/users/fanf/39428.html Tony. -- f.a.n.finch <dot@...at.at> http://dotat.at/ LOUGH FOYLE TO CARLINGFORD LOUGH: SOUTHWEST 4 OR 5 INCREASING 6 OR 7 FOR A TIME WEATHER: SHOWERS DYING OUT, RAIN LATER VISIBILITY: MODERATE OR GOOD. MODERATE, BECOMING ROUGH IN NORTH
Powered by blists - more mailing lists