SSL/TLS still seems to be screwed up (retrieving Mail with Thunderbird)

To: debian-security@lists.debian.org
Subject: SSL/TLS still seems to be screwed up (retrieving Mail with Thunderbird)
From: Elmar Stellnberger <estellnb@gmail.com>
Date: Sun, 10 Apr 2016 18:22:09 +0200
Message-id: <[🔎] 570A7DB1.5000408@gmail.com>

Dear Readers of Debian-Security,

While being connected via an insecure VPN I had once more left myemail client open by accident (Thunderbird). Though access toimap.gmail.com shall be secured by SSL/TLS my gmail password wasmalversated within a few seconds; i.e. I got a login attempt fromHongKong and had to change the password after disconnecting.Is anyone here who can explain the insecurity of SSL/TLS in itscurrent state? Does Thunderbird support certificate pinning? Or do youthink that there are still errors in the implementation of the protocol?What about libressl for Linux?


Yours,
Elmar

Reply to:

Follow-Ups:
- Re: SSL/TLS still seems to be screwed up (retrieving Mail with Thunderbird)
  - From: Brandon Vincent <Brandon.Vincent@asu.edu>
- Re: SSL/TLS still seems to be screwed up (retrieving Mail with Thunderbird)
  - From: Evgeny Kapun <abacabadabacaba@gmail.com>

Prev by Date: CVE-2016-1503 / Debian Bug 810621
Next by Date: Re: SSL/TLS still seems to be screwed up (retrieving Mail with Thunderbird)
Previous by thread: CVE-2016-1503 / Debian Bug 810621
Next by thread: Re: SSL/TLS still seems to be screwed up (retrieving Mail with Thunderbird)
Index(es):
- Date
- Thread