Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Account setup security warning

78 views
Skip to first unread message

Jesper Kristensen

unread,
Jan 16, 2010, 12:41:04 PM1/16/10
to
Hi.

The first time you start Thunderbird 3, and the account setup appears,
there is a warning dialog displayed, which effectively tells users that
they should ignore big red scary warnings like the warning Firefox gives
when a website is trying to install malware on your computer. I remember
that this was discussed at the MozCamp in Prague this fall, and it was
said it should be fixed. However I was stunned to discover today that it
had not been fixed in the final release of Thunderbird 3. I went looking
for the bug report, but since I haven't mastered the fine art of
searching bugzilla yet, I haven't found it. Can anyone help me find the
bug in bugzilla? And is there any ETA of getting it fixed, as I believe
it weakens computer security quite a lot.

http://temp.jesperkristensen.dk/mozilla/thunderbird/tb3-accountsetup-warning.png

Jesper

Nathan Tuggy

unread,
Jan 17, 2010, 3:47:37 PM1/17/10
to
Jesper,
Of my dozen-plus accounts on four different servers, only one of those
accounts triggered the warning when I set it up. That account was the
one for my local ISP -- ISPs are not exactly known, unfortunately, for
making enormous efforts to genuinely secure their users, so this seems
to be par for the course.

I agree that it's not good to accustom users to ignoring warnings, but
OTOH, unsecured email access is not safe. Again, users should be
encouraged to weigh the risks of using e.g. the insecure connection of
their local "Ralph's Pretty Good ISP" email vs. the value of having that
account available; Thunderbird, IMO, should certainly warn them about
this, though perhaps the warning as implemented is a little too scary.

I really do not think it would be at all secure (in any pragmatic sense)
to simply ignore insecure POP3/IMAP or SMTP connections -- how else will
users migrate to secure connections?

Disclaimer: I have not actually written any code for Thunderbird; I'm
just a power user and Bugzilla surfer/commenter.

Jesper Kristensen

unread,
Jan 18, 2010, 10:54:33 AM1/18/10
to
Den 17-01-2010 21:47, Nathan Tuggy skrev:
> Jesper,
> Of my dozen-plus accounts on four different servers, only one of those
> accounts triggered the warning when I set it up. That account was the
> one for my local ISP -- ISPs are not exactly known, unfortunately, for
> making enormous efforts to genuinely secure their users, so this seems
> to be par for the course.
>
> I agree that it's not good to accustom users to ignoring warnings, but
> OTOH, unsecured email access is not safe. Again, users should be
> encouraged to weigh the risks of using e.g. the insecure connection of
> their local "Ralph's Pretty Good ISP" email vs. the value of having that
> account available; Thunderbird, IMO, should certainly warn them about
> this, though perhaps the warning as implemented is a little too scary.
>
> I really do not think it would be at all secure (in any pragmatic sense)
> to simply ignore insecure POP3/IMAP or SMTP connections -- how else will
> users migrate to secure connections?
>
>
>
> Disclaimer: I have not actually written any code for Thunderbird; I'm
> just a power user and Bugzilla surfer/commenter.

I agree that a little warning is ok, or even good. But at the current
level equal to "this website is actively trying to install malware on
your computer right now", I don't think its ok.

Bryan Clark

unread,
Jan 19, 2010, 2:10:26 AM1/19/10
to

It's a tough balance to strike. I think there is likely a good point
that perhaps we shouldn't be reusing Firefox's danger signs as they are
different. However in this example case your passwords are unencrypted
and someone could easily take over your email account and use it for
spamming others. That seems like the right thing to warn people about.

What concerns me, which is similar, is that we have to warn people when
their certificate is incorrect. There doesn't seem to be a good
solution to the problem of email servers having self-signed or expired
certificates. Email servers aren't going to change and people need to
be able to setup their email but at the same time people use Thunderbird
because we are more secure.

There are some things I think we could do better for both situations if
we (core?) were collecting more information about our connections, where
they were made, how often we connected securely, etc. would help our
story in a lot of ways.

Any other suggestions?

~ Bryan

Michael A. Puls II

unread,
Jan 19, 2010, 3:39:36 AM1/19/10
to dev-apps-t...@lists.mozilla.org

----
Buddy switching to Thunderbird from 2.x or another client:

Me: Did you know your mail server doesn't support TLS?

Buddy: Is that bad?

Me: Kind of. It means your username and password are transmitted in plain
text and someone could easily sniff you connection for them and hijack
your account.

Buddy: I see. That sucks. What should I do?

Me: Well, you can either switch to a new email provider that has servers
that support TLS or you can just continue using your insecure mail server.

Buddy: I see. I don't want to switch to another provider. If I keep using
my insecure server, will it work like it always has?

Me: Yep

Buddy: Sweet. I'll keep using my mail server. Besides, it worked fine for
me for years and I've never had any problems. I'm not really worried.
----

The point is, although it's good to warn, warn like a human. And, make it
clear that if you don't switch to a secure server, connecting to the
server will work just like it always has in the past.

Or, something like "We've noticed that your mail server does not support
TLS. Using a mail server that supports TLS will make you more secure
because...".

The current use of "improper" in the dialog sounds a little snobby.

Also, the useful information is under "Technical details". Unfortunately,
it's collapsed by default.

I also have to admit that the ugly maroon on the dialog is so hideous that
the first 20+ times I saw the dialog I didn't read anything but the first
line and rushed to check the "I understand" checkbox. I more or less said,
"Ah, what the hell is this? Stop bugging me already!".

The warning dialog is just so intrusive. (Of course, Thunderbird shows you
a thousand dialogs before it even fully starts up. I'm annoyed by the time
I get that dialog. I mean, you have the account wizard pages, you have the
server tests, you have the warning dialog, you have the default client
dialog and you have the "know your rights" notificaiton, all before
Thunderbird starts up. Yikes.)

--
Michael

Bob Lord

unread,
Jan 19, 2010, 10:50:33 PM1/19/10
to
On 1/18/10 11:10 PM, Bryan Clark wrote:
> There are some things I think we could do better for both situations if
> we (core?) were collecting more information about our connections, where
> they were made, how often we connected securely, etc. would help our
> story in a lot of ways.

I'm less worried about mail services that don't try to establish secure
connections than those that attempt to use SSL and botch it. And boy are
they clever in the ways they botch security.

I'd love to see telemetry about the most popular ISPs that are using
self-signed, expired, or otherwise invalid certs, those that send
incomplete chains, those that ask for SSL client-auth certs, etc. There
are several bugs that point to improvements in the client (which is
fine... they need fixing), but we also need to have a list of the worst
offenders.

Can we get that telemetry?

Dan Mosedale

unread,
Jan 20, 2010, 1:14:13 PM1/20/10
to dev-apps-t...@lists.mozilla.org
We'll need Test Pilot. I've started a wiki page
<https://wiki.mozilla.org/Thunderbird:UX:Test_Pilot> to track tests that
we'd be interested in running once we get it.

Dan

Dan Mosedale

unread,
Jan 20, 2010, 1:35:02 PM1/20/10
to dev-apps-t...@lists.mozilla.org
On 1/20/10 10:14 AM, Dan Mosedale wrote:
> On 1/19/10 7:50 PM, Bob Lord wrote:
>> I'd love to see telemetry about the most popular ISPs that are using
>> self-signed, expired, or otherwise invalid certs, those that send
>> incomplete chains, those that ask for SSL client-auth certs, etc.
>> There are several bugs that point to improvements in the client
>> (which is fine... they need fixing), but we also need to have a list
>> of the worst offenders.
>>
>> Can we get that telemetry?
> We'll need Test Pilot. I've started a wiki page
> <https://wiki.mozilla.org/Thunderbird:UX:Test_Pilot> to track tests
> that we'd be interested in running once we get it.
davida pointed out in IRC that another way to get some of the data
you're looking for would be to use ISPDB logs to find popular domains,
and then write scripts to poke at those domains directly and detect
what's going on there.

Dan

Ludvig

unread,
Feb 8, 2010, 7:41:44 AM2/8/10
to
I totally agree with Jesper Kristensen. This warning has to die.
Microsoft and other competitors could not have found a more effective
way to scare users away from Thunderbird!

I don't know how it is in other countries, but in Denmark ISPs and
mail providers generally do not offer secure connections. That means
every user will get a very serious warning not to use the connection.
They have no choice but to ignore the warning (ordinary users should
never ignore warnings!) or change to another program that does not
tell them that they are in danger.

From the user's point of view, it must be Thunderbird that has a
security problem, because the provider don't have other solutions, and
it worked fine in their old program.

Some in this thread thinks it's o.k. with a less intrusive warning. I
don't. A warning is fine if the user has a choice. Most users don't
have a choice in this matter. You don't tell a new user to change to
another provider than the one he has been using with no problems for 5
years because of a theoretic problem. Not even if the user has a
choice of another provider.

Rather than changing provider, I am sure the user will just use
another program.

Kim Ludvigsen

0 new messages