Mozilla Meltdown Blues

Discussion in 'other security issues & news' started by razorboy, Nov 21, 2020 at 8:52 PM.

  1. razorboy

    razorboy Registered Member

    Joined:
    Dec 26, 2010
    Posts:
    190
    Location:
    North
    With a recent Thunderbird (and maybe Firefox?) update, Mozilla outdid itself. It changed profile files so that any profile could thereafter not be used with any previous version of Tbird. That is, if Tbird messed up and you want to go back to a previous version, it could not be done. Worse, this was done with automatic update, if one did not know enough to deny auto updates in the settings. Worse, something in the security settings or language of Tbird changed, so that some servers and ISPs could not be connected to except without any encryption of any type. So some people got booted off the www immediately after the update occurred, could not connect, could not go back to an older version. We got caught in this. My ISP's tech support said "Yeah, a lot of our customers got caught in that update. The only way to connect is with encryption set to NONE." He's right. No other connection will work. If encryption is used, there will be an error message: "Could not connect, password, user name or settings error." No encryption, no problem/

    My question (since there are so many security folks here) is rather vague, but: can you imagine what kind of changes Mozilla must have made to have rendered encrypted connections impossible? I believe this is a problem with a few ISP/Mail providers, but not most. (The profile problem is another story.)
    Thanks for any thoughts.
     
  2. razorboy

    razorboy Registered Member

    Joined:
    Dec 26, 2010
    Posts:
    190
    Location:
    North
  3. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,411
    Location:
    Outer space
    So have you tried enabling TLS 1.0 and 1.1 to see if that fixes the problem?
    TLS 1.2 has been out a long time(and has already been succeeded by TLS 1.3, which is growing more common every day), so if that is the case, your ISP has bad security practices.
     
    Last edited: Nov 23, 2020 at 4:55 AM
  4. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    5,908
    Location:
    USA
    Have you made sure you entered the correct ports? I know it seems too obvious but depending on the mail server some encrypted connections will only connect to a specific port. Especially SMTP where it is not uncommon to connect to 25, 465, 587, or 2500.
     
  5. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    1,204
    Location:
    Member state of European Union
    Probably there were discovered vulnerabilities in some older TLS version, key exchange algorithm long time ago, so Mozilla decided to finally abandon that version or algo, because it was unsecure anyway.
     
  6. razorboy

    razorboy Registered Member

    Joined:
    Dec 26, 2010
    Posts:
    190
    Location:
    North
    Thanks for those answers. Yes, the problem is that Mozilla changed the TLS minimum AND changed the system of writing profile files, without consulting anyone. I doubt that they care much what the non-hacking classes get from it.

    The minimum TLS was 1.0 before, now it is 1.2. I could do the about:config thing and change it on the laptop back to 1.0, from what I read that would probably work. However, that raises the bigger question: is 1.0 unsafe, insecure? The laptop in question is used for business, and as much as I would like to cut off my unpaid work on this at 10 hours or so, if the critter really is not very secure I have to consider that. I think it quite unlikely that the ISP would crank the security for our sake, but if 1.0 is unsafe, then I have only one option: lose Thunderbird. I live in a place where there is only one ISP, a cable company, so if they don't want to play nicely and up the TLS ante, that's my tough luck.
     
  7. razorboy

    razorboy Registered Member

    Joined:
    Dec 26, 2010
    Posts:
    190
    Location:
    North
    .... and if the ISP makes the minimum to be 1.2, suddenly the zillion customers who are configured in such a way as to be inconsistent with that are going to be cut off. My choice is to configure at TLS 1.0 or............. don't go on the internet, as there is only one ISP available on this street. On the wider view, I can't see how every ISP/Mail provider in North America can upgrade their servers and have their 9 zillion customers upgrade their clients/connections at the same time. Ugh...
     
  8. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,411
    Location:
    Outer space
    TLS 1.2 has been around for quite a while, for example Thunderbird had it already enabled by default in version 31 I think, so I breakage would be minimal if the ISP makes 1.2 the minimum. Besides, they can just support TLS 1.2 without also making it the minimum and then nothing would break.
    Also, you may be limited to your ISP because you don't have another choice, but there are tons of 3rd party email providers you could use.
     
  9. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    1,204
    Location:
    Member state of European Union
    Source: https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.2
    https://website-archive.mozilla.org...tes/en-us/firefox/27.0/releasenotes/?flang=ro
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.