Thunderbird and Logjam

Revision Information
  • Revision id: 101060
  • Created:
  • Creator: Matt
  • Comment: Submitte for comment and further editing..
  • Reviewed: No
  • Ready for localization: No
Revision Source
Revision Content

The release of Thunderbird 38.1 and the ESR release 31.8 saw the work done by the Firefox core developers to patch the LogJam common vulterability (CVE-2015-4000) in all Mozilla products using the Geko coore engine ripple through to Thunderbird as a security and stability patch.


What does this mean to me?

Nothing. Unless a mail server you use is still using very old cypher keys for SSL/TLS. IF the server has not been patched to use a more recent set of keys (2048bit) then your connection to the server will fail with the following distinctive error message appearing in the Error console ctrl + Shift + J.


LogJam in the error console

What do I need to do?

  • If your mail server is affected, in the first instance contact your mail provider. All servers should be updates to protect you and your information.
  • If you are the server administrator there is useful information on what you need to do published by the Working Group that detected the issue here
In visiting that page your browser will be tested to see if it is vulnerable to the attack and you will be notified accordingly.

There is a short term workaround for those using Thunderbird, by installing the add-on Disable DHE. This add-on is listed in the add-on site as for Firefox, and therefor must be downloaded and installed from the downloaded file into Thunderbird. It will not appear in the Thunderbird add-ons manager if you search

The use of the add-on is not a long term solution, and is not a substitute for fixing the server. You are still at risk of a man in the middle attack using it. But it gives breathing time to actually make arrangements for new key pairs to be generated for the server.