Thunderbird and Logjam
- Revision id: 101060
- Creator: Matt
- Comment: Submitte for comment and further editing..
- Reviewed: No
- Ready for localization: No
The release of Thunderbird 38.1 and the ESR release 31.8 saw the work done by the Firefox core developers to patch the LogJam common vulterability (CVE-2015-4000) in all Mozilla products using the Geko coore engine ripple through to Thunderbird as a security and stability patch.
What does this mean to me?
Nothing. Unless a mail server you use is still using very old cypher keys for SSL/TLS. IF the server has not been patched to use a more recent set of keys (2048bit) then your connection to the server will fail with the following distinctive error message appearing in the Error console ctrl + Shift + J.
What do I need to do?
- If your mail server is affected, in the first instance contact your mail provider. All servers should be updates to protect you and your information.
- If you are the server administrator there is useful information on what you need to do published by the Working Group that detected the issue here
There is a short term workaround for those using Thunderbird, by installing the add-on Disable DHE. This add-on is listed in the add-on site as for Firefox, and therefor must be downloaded and installed from the downloaded file into Thunderbird. It will not appear in the Thunderbird add-ons manager if you search
The use of the add-on is not a long term solution, and is not a substitute for fixing the server. You are still at risk of a man in the middle attack using it. But it gives breathing time to actually make arrangements for new key pairs to be generated for the server.