Thunderbird and Logjam
- Revision id: 102952
- Creator: Wayne Mery
- Comment: correct nit on top of Tonnes changes, and clarify add-on installation process
- Reviewed: No
- Ready for localization: No
The release of Thunderbird 38.1 and the ESR release 31.8 saw the work done by the Firefox core developers to patch the LogJam common vulterability (CVE-2015-4000) in all Mozilla products using the Geko core engine ripple through to Thunderbird as a security and stability patch.
What does this mean to me?
Nothing, unless your mail server is still using very old cipher keys for SSL/TLS. If the server has not been patched to use a more recent set of keys (2048 bit), your connection to the server will fail with the following distinctive error message appearing in the Error console (Ctrl + Shift + J).
What do I need to do?
- If a mail server you use is affected, in the first instance contact your mail provider. All servers should be updated to protect you and your information.
- If you are the mail server administrator, you need to view the info published by the Working Group that detected the issue here.
There is a short-term workaround for those using Thunderbird, by installing the add-on Disable DHE. This is listed as a Firefox add-on, and therefore must be downloaded to your computer using a browser, then installed with Thunderbird add-on manager using "Install Add-on From File". Disable DHE will not appear in the Thunderbird add-ons manager if you search for it from Thunderbird.
The use of the add-on is not a long term solution, and is not a substitute for fixing the server. By using it, you are at risk of a man-in-the-middle attack, but it gives breathing time for the server adminstrator to generate and install better key pairs on the server.