Thunderbird and Logjam
- Revision id: 102987
- Creator: Wayne Mery
- Comment: add link to sysadmin guide
- Reviewed: Yes
- Reviewed by: MattAuSupport
- Is approved? Yes
- Is current revision? No
- Ready for localization: Yes
- Readied for localization:
- Readied for localization by: MattAuSupport
The release of Thunderbird 38.1 and the ESR release 31.8 saw the work done by the Firefox core developers to patch the LogJam common vulterability (CVE-2015-4000) in all Mozilla products using the Geko core engine ripple through to Thunderbird as a security and stability patch.
What does this mean to me?
Nothing, unless your mail server is still using very old cipher keys for SSL/TLS. If the server has not been patched to use a more recent set of keys (2048 bit), your connection to the server will fail with the following distinctive error message appearing in the Error console (Ctrl + Shift + J).
What do I need to do?
- If a mail server you use is affected, in the first instance contact your mail provider. All servers should be updated to protect you and your information.
- If you are the mail server administrator, you need to view the info published by the Working Group that detected the issue here. Note especially the sysadmin guide.
There is a short-term workaround for those using Thunderbird, by installing the add-on Disable DHE. This is listed as a Firefox add-on, and therefore must be downloaded to your computer using a browser, then installed with the Thunderbird Add-ons Manager using "Install Add-on From File...". Disable DHE will not appear in the Thunderbird Add-ons Manager if you search for it from Thunderbird.
The use of the add-on is not a long term solution, and is not a substitute for fixing the server. By using it, you are at risk of a man-in-the-middle attack, but it gives breathing time for the server adminstrator to generate and install better key pairs on the server.