[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: SSL/TLS still seems to be screwed up (retrieving Mail with Thunderbird)

On Sun, Apr 10, 2016 at 9:22 AM, Elmar Stellnberger <estellnb@gmail.com> wrote:
>   Is anyone here who can explain the insecurity of SSL/TLS in its current
> state?

TLS properly implemented is secure. The insecure VPN (as you so
describe it) may have been stripping out the offer of STARTTLS by the
IMAP server. This is pretty trivial to do when you control all of the
data flowing through the VPN [1]. This has actually been done by some
ISPs in the past [2].

Although the RFC for STARTTLS indicates that clients should fallback
if TLS is not available [3], last time I checked if you have STARTTLS
specified in the server settings in Thunderbird, it should not be
establishing a connection if it is unable to do so over TLS.

What are the server settings you are using for IMAP?
Was it a successful login or an attempted login?
Did you accept any certificate warnings?

[1] https://github.com/tintinweb/striptls
[2] https://www.eff.org/deeplinks/2014/11/starttls-downgrade-attacks
[3] https://tools.ietf.org/html/rfc2595

Brandon Vincent
Reply to: