Thunderbird not secure enough

[Caver1]

Just tried to set up Thunderbird 45.4.0 for my wife to use
it for her Yahoo mail account each time I tried I got the
error message that User name/Password was wrong. So I triple
checked and they were correct.
Finally I got an email from Yahoo stating;

"...We strongly recommend that you switch to Yahoo's apps
such as Yahoo Mail on desktop and mobile and remove your
account from all other less secure apps.
If you still want to use an app that uses less secure sign
in, go to
https://login.yahoo.com/account/security#other-apps and turn
on "Allow apps that use less secure sign in". This is not
recommended and may leave your account more vulnerable to
compromise. To learn more, please visit our help page:
https://help.yahoo.com/kb/account/SLN27791.html
Yahoo blocked this sign in attempt ...

So according to Yahoo the newest TB is not secure.
I never use Yahoo myself and this just backed up my opinion.
--
Caver1

[Keith Nuttle]

First I would make sure that you do not have a virus that has hijacked
the login routine. If so it may be directing you to a span login page.

I use Yahoo through ATT mail and use Thunderbird 45.4.0 on Windows 10 AE
(fully updated) to access the account. I have never seen the message
that you received.

If valid, it sounds like this was from Yahoo marketing department. I
would ignore it and use what ever I felt was a secure program for email
and newsgroups.

Unless you are using Thunderbird in the browser mode, most of the
security is coming from your security program anyway.

[Keith Nuttle]

I believe you may have encounter malware or a virus. I logged into my
ATT/Yahoo account and got this is from the Yahoo information page and
does not mention that any of the email programs are unsecured.

https://help.yahoo.com/kb/sln6434.html


Thunderbird is listed as an acceptable browser and the link takes you to
the Mozilla page.

[James Moe]

On 11/10/2016 11:44 AM, Caver1 wrote:
> Just tried to set up Thunderbird 45.4.0 for my wife to use
> it for her Yahoo mail account each time I tried I got the
> error message that User name/Password was wrong. So I triple
> checked and they were correct.
>

Which protocol are you using? IMAP or POP3?
Have you selected the secure option for that protocol?

--
James Moe
jmm-list at sohnen-moe dot com
Think.

[Wayne]

On 11/10/2016 1:44 PM, Caver1 wrote:

The access problem is a common issue. Perhaps you should get off yahoo :)

Those links only point out a issue yahoo issue, not a general security
problem in Thunderbird. In other words, there are plenty of ways to use
Thunderbird securely.

See https://bugzilla.mozilla.org/show_bug.cgi?id=1310456 and
https://bugzilla.mozilla.org/show_bug.cgi?id=1304646

[Christian Riechers]

If you turn on 2-step authentication for Yahoo you don't need to allow
'less secure apps'.

[Caver1]

I did ignore it and decided to just let her use the web mail.
It would surprise me if marketing could stop you from
connecting.

--
Caver1

[Caver1]

I tried several times from three different computers and got
the same. Yahoo refused the connection.
I use Thunderbird for everything and have since I don't know
when.
I ended up going to my wife's Yahoo account and they do have
a setting to let you use insecure apps which you have to choose.

--
Caver1

[Caver1]

On 11/10/2016 02:33 PM, James Moe wrote:
> On 11/10/2016 11:44 AM, Caver1 wrote:
>> Just tried to set up Thunderbird 45.4.0 for my wife to use
>> it for her Yahoo mail account each time I tried I got the
>> error message that User name/Password was wrong. So I triple
>> checked and they were correct.
>>
> Which protocol are you using? IMAP or POP3?
> Have you selected the secure option for that protocol?
>

Yes POP3.

--
Caver1

[Caver1]

I have tried to get my wife off Yahoo but she doesn't want
to. :-(

--
Caver1

[Caver1]

You don't need 2-step authentication.
Also by choosing less secure apps they are saying that TB is
not secure.

--
Caver1

[Millwood]

AFAIK, the correct explanation is - Yahoo does not support modern client
authentications methods, forcing you to use the less secure ones they do
support.

Also, as you may know, Yahoo was hacked and kept the fact secret for two
years. So I would be really hesitant to use it for anything critical,
such as the password reset email for your bank.

[Caver1]

+1

--
Caver1

[John McGaw]

On 11/10/2016 1:44 PM, Caver1 wrote:

What are your account settings? Are you using POP and SMTP? I use the Yahoo
servers all the time and the requirements seem to be POP: SSL/TLS on port
995 and SMTP: SSL/TLS on port 465. Could you be trying to go in on a
non-secure connection and provoking Yahoo's (in)secrity?

[Wayne]

On 11/10/2016 3:39 PM, Millwood wrote:
> Caver1 wrote:
>> Just tried to set up Thunderbird 45.4.0 for my wife to use it for her
>> Yahoo mail account each time I tried I got the error message that User
>> name/Password was wrong. So I triple checked and they were correct.
>> Finally I got an email from Yahoo stating;
>>
>> "...We strongly recommend that you switch to Yahoo's apps such as Yahoo
>> Mail on desktop and mobile and remove your account from all other less
>> secure apps.
>> If you still want to use an app that uses less secure sign in, go to
>> https://login.yahoo.com/account/security#other-apps and turn on "Allow
>> apps that use less secure sign in". This is not recommended and may
>> leave your account more vulnerable to compromise. To learn more, please
>> visit our help page: https://help.yahoo.com/kb/account/SLN27791.html
>> Yahoo blocked this sign in attempt ...
>>
>> So according to Yahoo the newest TB is not secure.
>> I never use Yahoo myself and this just backed up my opinion.
> AFAIK, the correct explanation is - Yahoo does not support modern client
> authentications methods, forcing you to use the less secure ones they do
> support.

correct. reference previously cited bug reports

> Also, as you may know, Yahoo was hacked and kept the fact secret for two
> years. So I would be really hesitant to use it for anything critical,
> such as the password reset email for your bank.

Doesn't need to be critical to make on hesitant.

There are good free alternatives. And it's easy-peasy to email all your
friends and say "I'm changing from x...@yahoo.com to x...@some.where" and make
the job. Likewise easy to change logins on web properties to a new
email. If it's nostalgia that's holding her back, it's not a great
reason to stay with yahoo.

[Lew Wolfgang]

On 11/10/2016 12:32 PM, Caver1 wrote:
> On 11/10/2016 02:33 PM, James Moe wrote:

>> On 11/10/2016 11:44 AM, Caver1 wrote:
>>> Just tried to set up Thunderbird 45.4.0 for my wife to use
>>> it for her Yahoo mail account each time I tried I got the
>>> error message that User name/Password was wrong. So I triple
>>> checked and they were correct.
>>>
>> Which protocol are you using? IMAP or POP3?
>> Have you selected the secure option for that protocol?
>>
>
>

> Yes POP3.
>

(I don't use, and never did, Yahoo, so I don't know if this will work.)

You might try "POP3S". The "S" means you would use an encrypted
communications channel where your username and password, and
message data, are all encrypted and thusly not susceptible to snooping.
You can find this choice under Account Settings>Server Settings under
the "Connection Security" button. You want to select "SSL/TLS". This
will also automatically set the "Port:" field to 995.

It's ironic that Yahoo would complain about this considering their past
history with regard to security.

Regards,
Lew

[Caver1]

Not at all. All settings are correct.
How long ago did you set up your account?

--
Caver1

[Caver1]

Has nothing to do With POP3/S. I agree about Yahoo
complaining. That's why I posted this.
Yahoo does give a way around it which agrees that TB is
insecure.

--
Caver1

[John McGaw]

Can't say exactly. It has certainly been 3+ years.

[Caver1]

Maybe they started this after you set up your account.
Maybe you were grandfathered in. Who knows?

--
Caver1

[David E. Ross]

On 11/10/2016 10:44 AM, Caver1 wrote [in part]:
>
> So according to Yahoo the newest TB is not secure.
> I never use Yahoo myself and this just backed up my opinion.

Thunderbird is as secure as the rest of your computer. Yahoo has proven
to be insecure, allowing multitudes of users accounts to be hacked.

Furthermore, logging into Yahoo last Monday (7 November 2016) was quite
problematical. Yahoo blocked me from logging into its financial Web
site with SeaMonkey. The login process presented me with options to
receive a login code number via either E-mail (not a Yahoo mail account
since I do not have one) or phone. I tried one and watched my PC sit in
Yahoo's login process for about five minutes without success, after
which I quit. I then tried the other and got ten minutes without
success, again quitting. A few hours later, I was able to login without
needed any login code.

--
David E. Ross

The Crimea is Putin's Sudetenland.
The Ukraine will be Putin's Czechoslovakia.
See <http://www.rossde.com/editorials/edtl_PutinUkraine.html>.

[Ed Mullen]

On 11/10/2016 at 3:33 PM, Caver1's prodigious digits fired off:

It can be a pain to change email addresses. I got tired of it years ago
and got my own domains. Regardless of ISP changes my email address(es)
stay the same, on the same domain. It's cheap and worth the money to
avoid the aggravation of changing domains/providers.


--
Ed Mullen
http://edmullen.net/
I saw a woman wearing a sweat shirt with "Guess" on it...so I said
"Implants?"

[Disaster Master]

On 11/10/2016 4:16 PM, Caver1 <cav...@inthemud.org> wrote:

Has nothing to do With POP3/S. I agree about Yahoo 
complaining. That's why I posted this.
Yahoo does give a way around it which agrees that TB is 
insecure.

As has been explained, it isn't Thunderbird that is insecure here, it is Yahoo - they are merely rying to make it sound the other way around.

[PS56k]

I seem to recall having the same issue with GMAIL -
I don't remember without a quick Google search, but it was related to
which encryption setting was supported - or not -

[Disaster Master]

On 11/11/2016 1:41 PM, PS56k <psch...@no-spam.interserv.com> wrote:

I seem to recall having the same issue with GMAIL -
I don't remember without a quick Google search, but it was related to 
which encryption setting was supported - or not -

I think you're referring to when Google started enforcing OAUTH2. When they did that, you had to enable 'allow less secure auth' if you wanted to use TLS/SSL.

[Caver1]

Don't have that problem with Gmail. I only have a Gmail
account because of my Android things.

--
Caver1

[James Moe]

On 11/10/2016 02:16 PM, Caver1 wrote:
> Has nothing to do With POP3/S. I agree about Yahoo
> complaining. That's why I posted this.
>

I am still unclear if you are using a secure connection (SSL). If you
have selected POP3, is the port number 995? (The not-secure port number
is 110.)

[Caver1]

On 11/12/2016 01:43 PM, James Moe wrote:
> On 11/10/2016 02:16 PM, Caver1 wrote:
>> Has nothing to do With POP3/S. I agree about Yahoo
>> complaining. That's why I posted this.
>>
> I am still unclear if you are using a secure connection (SSL). If you
> have selected POP3, is the port number 995? (The not-secure port number
> is 110.)
>

Yes I am using a secure connection you have to use TSL/SSL
with the proper ports for Yahoo.
This has nothing to do with connection it has to do with
Yahoo stating that TB is not secure enough for Yahoo. Which
is bull.
You can change the setting in your Yahoo account to make it
let TB connect as a less secure app.

--
Caver1