Thunderbird and Logjam
- Revision id: 102942
- Creator: Wayne Mery
- Comment: small editorial changes
- Reviewed: Yes
- Reviewed by: wsmwk
- Is approved? Yes
- Is current revision? No
- Ready for localization: Yes
- Readied for localization:
- Readied for localization by: wsmwk
The release of Thunderbird 38.1 and the ESR release 31.8 saw the work done by the Firefox core developers to patch the LogJam common vulterability (CVE-2015-4000) in all Mozilla products using the Geko coore engine ripple through to Thunderbird as a security and stability patch.
What does this mean to me?
Nothing ... unless your mail server is still using very old cypher keys for SSL/TLS. IF the server has not been patched to use a more recent set of keys (2048bit) then your connection to the server will fail with the following distinctive error message appearing in the Error console ctrl + Shift + J.
What do I need to do?
- If a mail server you use is affected, in the first instance contact your mail provider. All servers should be updated to protect you and your information.
- If you are the mail server administrator what you need to do published by the Working Group that detected the issue here
There is a short term workaround for those using Thunderbird, by installing the add-on Disable DHE. This add-on is listed in the add-on site as for Firefox, and therefore must be downloaded and installed from the downloaded file into Thunderbird. It will not appear in the Thunderbird add-ons manager if you search
The use of the add-on is not a long term solution, and is not a substitute for fixing the server. By using it you are at risk of a man in the middle attack. But it gives breathing time for the server adminstrator to generate and install better key pairs on the server.