Thunderbird needs to expose more settings through UI / Slow SSL negotiation with security.tls.version.min = 1 .... to work better with ProtonMail
Comments on Beta because I have no where else to go. I've put it through it's paces by doing all sorts of strange things I thought I might do with it. I primarily wanted another ProtonMail client but Thunderbird lacks the security needed!!!!
WHERE THE HECK IS THIS SETTING?????? When I was trying to connect a ProtonMail bridge to Thunderbird (something a lot of people will want to do) you need to require SSL. Now in the UI that option does not exist. It does in the Preferences-Advanced-General-ConfigEditor (and behind the warning window). There is a key there called "security.tls.version.min" "modified" for me from Integer 1 to integer 2. Now I have forced SSL/TLS but why did I a IT pro have to do this and there? The connections that required SSL were having to take lots of time negotiating stuff with the 2 the connections know its encrypted and connect in a snap.. Connecting back to a mail server with 1000 messages and this setting at "1" made Thunderbird unstable in that things were moving and changing as fast as it could because I was making changes on ProtonMail. Timeouts were all over and Gmail blocked me at points because I had used too many connections. Put the Force SSL into the GUI, please? And the following:
NEED You also have to give an option on Fonts! This is a common grip. Putting a chrome config file into a hidden location is way above 90% of the population.
NEED Thunderbird NEEDS a built in PKS12 Security system so that ProtonMail will Trust Thunderbird. ProtonMail trusts Outlook and a few other commercial ones. Thunderbird will only be a success if it incorporates the latest in security from the inside out!
SERIOUS PROBLEM Keys and passwords between Thunderbird and Foxfire need help and a partial integration into Apple's keychain. I don't want a lot of this stuff on the iCloud but I'd like iCloud or I personally prefer a LDAP server as it should be (Maybe even an OpenSource public one with privacy and security. I know there is a group on that. I'm on the edge with both Betas and with hardly any addons that are compatible with this high a version. The EnigmaMail plugin was nice, but it was only a bandaid.
SERIOUS PROBLEM But look at the GUI and ask yourself, is this all that a regular user needs? is this easy and straightforward? is this secure? Is this thing rock solid? is this thing integrated into something else even if just Firefox?
PROBLEM There is a Bug, but I will assume you know about it "Account Settings" where the dialog Box goes up and disappears then a dialog box comes down on what you chose. If you do this for a lot of settings the original dialog box will only appear 1/3 the size and not be scrollable. If you save and reedit you are fine.
WANT You need to make it easy to specify servers apart from other things. I would like the ability to filter outgoing mail to certain SMTP servers.
I work with Firefox's Beta too. It is solid as a rock even as a Beta. Thunderbird is not getting the attention it needs or something. Thunderbird needs work before I'd recommend it to clients.
Chris Augustine Stress Tester for Myself
Modified by Wayne Mery
Chosen solution
Chris,
You are trying to infer all kinds of things from non-technical websites - that's a big mistake and a rabbit hole. I suggest you stop, and visit a technical newsgroup or website and engage people who work in those technologies. In addition, most news sites are utter BS - they get their "facts" from statements they don't understand, don't check their sources, don't understand the technology, yada yada. This includes the Register which years ago was a reliable news source but not anymore. They are mainly in it for notoriety and web advertising revenue.
But let's please end all these digressions. This topic is ONLY about the SSL/TLS issues and nothing more.
Read this answer in context 👍 0All Replies (19)
Hello Chris.
Have you followed these steps to set up Thunderbird with the bridge? I haven't found any mention of changing security.tls.version.min, please try to reset it back to its default value. The encrypted connection is forced by the SSL dropdown options in step 4. of the article linked above.
Thunderbird is currently being developed by its community and at this moment also moving to a completely independent infrastructure. You can read more about the Thunderbird present and future on the blog https://blog.mozilla.org/thunderbird/.
Nope, you must change this setting. I know because I tried everything as a professional software tester would. I set up the bridge back to 2000 emails and a dozen folders, 3 simple Yahoo accounts and a Gmail account with over 1000 messages. You do that and move and delete stuff and you will see worst case scenarios. ((BTW I hate, and I don't me you specifically, but people saying read the docs or man pages: no offense intended)) If anyone will break something it'll be me. It's why I say Firefox is solid as a STONE!!!! Thunderbird is not ready and there is a need for it.
You must change the hidden setting. The settings on page 4 still allow SSL negotiations which shows as slow connections, timeouts, and Gmail saying you've used too many ports.
I set that one setting and everything flew, connections flew, the entire folder system just appeared.
No, this setting has to be on the GUI, sorry. And relying on extensions for fonts won't get it. Security is as well. If you would can someone send this to the Thunderbird Support (Beta tester because I might as well be one, I'm on the Beta fork). This thing is not ready. Firefox is!
Chris Augustine Ex Cisco Networking Consultant / crazy technology enthusiast
I just looked over at the Thunderbird site and I do not like what I saw. Who is going to oversee this thing? Who is going to oversee it and code it? I saw many issues, serious issues just browsing. No, Thunderbird has already failed. I'm sorry to say it. My leanings were that way, but now with no stability or support from a "big brother" I thought was Mozilla; I've seen this train wreck before.
Who will take on the serious need for a secure OpenSource email client that is solid???? This is a failed undertaking if nothing changes. I'm sorry to be so blunt....
caugusti said
I just looked over at the Thunderbird site and I do not like what I saw. Who is going to oversee this thing? Who is going to oversee it and code it? I saw many issues, serious issues just browsing. No, Thunderbird has already failed. I'm sorry to say it. My leanings were that way, but now with no stability or support from a "big brother" I thought was Mozilla; I've seen this train wreck before. Who will take on the serious need for a secure OpenSource email client that is solid???? This is a failed undertaking if nothing changes. I'm sorry to be so blunt....
My gosh, the sky is falling. Which site, and what are you talking about?
Though I agree there are great security needs.
You should know that 99% of the press about Thunderbird dead is just BS. Volunteers and also paid staff consistently work on Thunderbird - https://wiki.mozilla.org/Modules/Thunderbird - and more developers are being hired.
As for settings, plenty of people people use them tnat are not IT pros. It seems to me you might complain to the people who wrote https://protonmail.com/bridge/thunderbird#15 for giving incomplete instructions? (Surely you are not the first person to have this problem)
The only bug report I could find in a short time is https://bugzilla.mozilla.org/show_bug.cgi?id=551305 and I'm not 100% sure it is relevant. I'll dig deeper
The press has it that Thunderbird is going its own way. Mozilla is going another. The turnover but the new hires are who knows: probably good but could be bad. To me the project looks rudderless and without a champion steering the project forward.
There is a very great need for a opensource secure mail client! That I will agree. In my angst I was a bit "chicken little."
I did not know this was the wrong forum for a good rant. I did find out what 0 through 3 means for the security.tls.version.min setting in the config means for this setting, and I'll relay it to you all.
security.tls.version.min 0 - SSL3.0 (unsecure) 1 - TLS 1.0 2 - TLS 1.1 3 - TLS 1.2
The default is 1. There is also a maximum setting but don't worry. Something about ProtonMail in that wants TLS 1.1. If this isn't minimum it constantly negotiates connections at a SLOW rate. Set the setting at 2 and Thunderbird flies through connections with ProtonBridge. The bridge is really solid. If Thunderbird could work with them to basically use the bridge for security but built in, would be nice.
As to fonts, I am starting to understand the complete reboot of CSS and HTML being led by Google with/and Chrome. There is also a move to HTTPS everywhere and everything about security in general. Thus all the Java script restrictions and changes too. The DOM, forget about it.... Change is going on. Good and bad.
With Firefox it's rock solid but it's built on Chrome. When I first played with Thunderbird I tried to rip out anything Google, but there is a bunch of chrome there too. I broke it but I learned. I want to thank the developer that allowed me to reset all the settings back to default, genius.
We are in agreement. The sky is not falling. I wish the press were better on Thunderbird. I wish that Thunderbird get the support it needs to be a contender. I want Thunderbird to become great!
I come back into the programming field after 20 years banging Cisco equipment. I'm a bit rough because I don't know the present terrain. I learn fast. I apologize, but a good rant is good and it's perfect if you say it is and apologize. There are truths in rants. The programmers will hear, there I will go.
I just saw the future when I compiled a Chromium engine/browser with the APIs that Google is running with. I hope Apple is up to the challenge. I hope we have some privacy left....... That is what worries me. This trade off between convenience with privacy and dependence is something we must all face soon. Driving my car by memory and using vectors when not sure is fine with me (so I'm fine without a car navigation system). I do LOVE technology; I also understand the MONEY, having a business degree too.
Thanks all for reading and understanding. I'm fine.
Chris P Augustine
Wayne Mery said
The only bug report I could find in a short time is https://bugzilla.mozilla.org/show_bug.cgi?id=551305 and I'm not 100% sure it is relevant. I'll dig deeper
I've hear that. I am dealing with IMAP only (I could never get gmail to act as a POP3 server even if set up as required (I blame gmail for that)). I had 3 Yahoo accounts that were empty, that gmail on IMAP and the one to the bridge on IMAP at 127.0.0.1 (me). The connections were slowing going between folders. You could read the connections go up and down. When at TLS 1.1 you could not read anything because the connections went up and down so fast. I know I can't be the first affected by this. Is it the TLS protocol or the implementation? And then which side? What is it about going from TLS 1.0 and TLS 1.1 or back? I'm on a Mac 2017 12" laptop (Highly recommended) and was on the latest Thunderbird Beta. I'd really like to see the packets going back and forth. I may have to figure out how to get a sniffer on a mac (enough of PCs.....).
I agree most settings should not be exposed to an average user. And I know I'm on the edge of the envelope with all this.
There is an issue and I thank you for going through and getting the point.
Thank you Chris
Wayne Mery said
The only bug report I could find in a short time is https://bugzilla.mozilla.org/show_bug.cgi?id=551305 and I'm not 100% sure it is relevant. I'll dig deeper
Below is what I gave to Protonmail. I need the developers dealing with Thunderbird's network APIs to see this because it's in the TLS protocol or the current API's written to it. Gmail acted just like the Bridge..... And this is my opinion as to where to look. Now I'm assuming Thunderbird is perfect........
Hey you all,
I've ranted in the Mozilla forum a bit too much and you all need to hear this. You have to manually go into the config of Thunderbird's latest build to correctly set up the bridge. (Peek behind the curtains way back.........
security.tls.version.min
0 - SSL3.0 (unsecure)
1 - TLS 1.0
2 - TLS 1.1
3 - TLS 1.2
The default is 1. There is also a maximum setting but don't worry. There is something about ProtonMail in that wants TLS 1.1. But gmail acted the same (wanting TLS 1.1). If this isn't minimum it constantly negotiates connections at a SLOW rate. Set the setting at 2 and Thunderbird and gmail flies through connections with ProtonBridge. The bridge is really solid but a bear to set up. When going it seems solid.
Question is: why is this an issue? What is it about going from TLS 1.0 to TLS 1.1 and back (with the negotiation); that is a problem and the cause of slow connections?
You set security.tls.version.min to 2 and the connections are fast and stuff flies. Folders show up, mail syncs and everything acts right. Do the same with the setting at "1" with a mailbox of 1000 emails with 20 folders/labels with 3 empty IMAP Yahoo accounts and one gmail IMAP account while deleting and moving emails: and Thunderbird gets really unstable (because it can't get those connections speedy enough to keep up).
Seeing that gmail had the same issue I really don't think it's a problem of ProtonBridge. BUT this needs to be in the install literature for new users. They may have to adjust this and say what's going on.
I will eventually pull out my packet sniffer if I can get it on this mac. (I'm burnt out on PCs).
We are looking at a TLS negotiation issue in the protocol itself or Thunderbird's implementation. I don't know why they referred me over here but you all need to know this from someone at the edge of the envelope. This movement led by Google to secure the Internet is uncovering problems.
Chris P Augustine
With Firefox it's rock solid but it's built on Chrome.
Nonsense. What evidence do you have?
Modified by Zenos
Chris P Augustine said
With Firefox it's rock solid but it's built on Chrome.
https://en.wikipedia.org/wiki/Firefox
Well that is just well false. The Web browser we know as Firefox started way back on September 23, 2002 under name of Phoenix 0.1. Later it was changed to Firebird (miss that name) due to Phoenix Bios. Then it changed to Firefox as of 0.8 Release due to Firebird SQL already having name bit earlier on and to reduce confusion.
The Google Chrome web browser did not even have a Initial release until September 2, 2008 so how could Firefox be based or built on Chrome ;)
Firefox uses Gecko as it does not use Blink as you must be thinking of another web browser that uses Blink like Opera or Chromium.
As for the TLS settings. http://kb.mozillazine.org/Security.tls.version.*
Modified by James
Zenos said
With Firefox it's rock solid but it's built on Chrome.Nonsense. What evidence do you have?
Per: https://developer.mozilla.org/en-US/docs/Mozilla/Gecko
Notice the first thing after Documentation.......
Documentation
Chrome
'This page contains information specific to Chrome code running in Gecko.'
Gecko FAQ
Frequently asked questions about Gecko.
Gecko DOM reference
Reference to the DOM.
Gecko event reference
Reference to events used within Gecko and Mozilla applications; for web-standard DOM events, see the DOM event reference.
Gecko versions and application versions
Versions of Gecko and the applications they're used in.
Introduction to Layout in Mozilla
Tech Talk on layout.
Embedding Mozilla
Using Gecko in your own application.
Character sets supported by Gecko
A list of the character sets supported by Gecko.
HTML parser threading
Description of multithreading in the HTML parser.
Gecko Home Page on MozillaWiki
Home for the active developers. Roadmaps and more up-to-date resources.
James said
Chris P Augustine saidWith Firefox it's rock solid but it's built on Chrome.https://en.wikipedia.org/wiki/Firefox
Well that is just well false. The Web browser we know as Firefox started way back on September 23, 2002 under name of Phoenix 0.1. Later it was changed to Firebird (miss that name) due to Phoenix Bios. Then it changed to Firefox as of 0.8 Release due to Firebird SQL already having name bit earlier on and to reduce confusion.
The Google Chrome web browser did not even have a Initial release until September 2, 2008 so how could Firefox be based or built on Chrome ;)
Firefox uses Gecko as it does not use Blink as you must be thinking of another web browser that uses Blink like Opera or Chromium.
As for the TLS settings. http://kb.mozillazine.org/Security.tls.version.*
Not the right answer anyway on the problem outlined about Thunderbird and its TLS implementation. There are people that can test stuff right? People that actually code the stuff?
Why I'm still here; I must love drama. Wayne Mery is the only person to pick up the problem. I just like to type.
This piece from back in '16 talks exactly about what I see. Parts or chunks of Chromium being used underneath Gecko. The feel of both and the versions and the limitations all feel close to me. Now, if you want you can take out every chrome setting in the config and see if it works? Thunderbird or Firefox. I did. I also built Chromium last week. It's open source. I'm sorry you all. Firefox is a nice browser (better actually) and I know Thunderbird is coming to terms with this fact in its own foundation. All will be OK.
https://www.theregister.co.uk/2016/04/11/future_of_firefox_is_chrome/
Last point, does anyone know that both Chrome and Firefox use the exact same Dev built-in tool? Open them both... See with your eyes.... Are my eyes deceiving me? I throw out the proof. Mozilla has no clue what is happening with Chrome because of Google's mad dash to security and to get their FULLY loaded cloud up. Yes Firefox runs on chrome or should I say Firefox is now just a blanket over chrome. I guess I want to start a riot. I'll leave you all alone. It comes down to Javascript...because it runs the web and dam it has been doing a lot under our noses taking our privacy away. You look at the trackers and activity on a typical page now. Who cares about cookies who is xyz.jp and why are they retrieving data from me. If you want my data buy it from me! I expect no one will object to that......
Chris P Augustine said
Zenos saidWith Firefox it's rock solid but it's built on Chrome.Nonsense. What evidence do you have?
Per: https://developer.mozilla.org/en-US/docs/Mozilla/Gecko
Notice the first thing after Documentation.......
Documentation
Chrome
'This page contains information specific to Chrome code running in Gecko.'
This mention of Chrome has nothing to do with the Google Chrome web browser. The word Chrome in Mozilla applications such as the Mozilla suite (which SeaMonkey is a continuation of) has existed for over a decade before the Google Chrome even existed. A common confusion people can make if thy encounter a chrome:// for something in Firefox, Thunderbird, SeaMonkey etc and think "What is Chrome doing in Firefox!!!".
https://developer.mozilla.org/en-US/docs/Glossary/Chrome
In a browser, the chrome is any visible aspect of a browser aside from the webpages themselves (e.g., toolbars, menu bar, tabs). This is not to be confused with the Google Chrome browser.
https://developer.mozilla.org/en-US/docs/Mozilla/Chrome_Registration https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XUL/Tutorial/The_Chrome_URL http://kb.mozillazine.org/Chrome_URLs http://kb.mozillazine.org/Dev_:_Firefox_Chrome_URLs
Another long time chrome related thing in Mozilla related applications that has nothing to with Google Chrome is userChrome.css http://kb.mozillazine.org/userChrome.css
Modified by James
Chosen Solution
Chris,
You are trying to infer all kinds of things from non-technical websites - that's a big mistake and a rabbit hole. I suggest you stop, and visit a technical newsgroup or website and engage people who work in those technologies. In addition, most news sites are utter BS - they get their "facts" from statements they don't understand, don't check their sources, don't understand the technology, yada yada. This includes the Register which years ago was a reliable news source but not anymore. They are mainly in it for notoriety and web advertising revenue.
But let's please end all these digressions. This topic is ONLY about the SSL/TLS issues and nothing more.
Modified by Wayne Mery
Sorry, a final off-topic post for an excellent reference I refound about gecko chrome - https://developer.mozilla.org/en-US/docs/User:wbamberg/Gecko_basics#Chrome_and_content
(gecko) Chrome <> Google Chrome (gecko) Chrome <> Chromium
This past is past. The DOM is being completely cut off from JavaScript. There are too many things going on under the hood right now. That's where the work is going on to secure the browser.
I ask again, and I'll just leave... Why are the Development tools in the Developer Edition the exact same thing in Firefox and Chrome/Chromium?
If Chromium and Firefox are OpenSource what's to stop either from borrowing from the other. Chrome may have a few goodys hidden away from Chromium, but that's Chrome. The whole development model is changing. It's because java script is dangerous as hades and given time anyone could take down every web browser and computer, sandbox or not. Google is in a mad dash to get SSL/TLS everywhere fast. On eBay we can't use 3rd party website pix or data because of Google. There is some real push to this movement to a secure web! I would say it's probably a combination of Google's plans for distributed services on its cloud that are unthinkable at present. It's like I'm on CompuServe and told about some Internet. What's that I asked Borland developers. The second reason is the Government has mandated it (NSA not, but another agency probably).
You all know TCP/IP was only suppose to be temporary when it was used as people haggled over the defunct ISO standards. It's where we get the ISO network diagram that doesn't really fit to anything, right? The IETF became the group in charge of the Internet as TCP/IP took off and the ISO under the UN bickered. It's a very different network model based on nodes not subnets.
I seem to think most people here really don't know much. Just happy as a clam. Defend Firefox to the end, right? I use it, it is better, but know what's under the hood. When people get this defensive I've usually struck at a truth that only some know or want to know. Chrome is under the hood.
That's it I'm out of here catching up on today's programming environment. Enjoy your day. I'll go to bed just before the sun rises.
Chris Augustine Antagonist for Action and Truth (and intelligence)
Just be be clear (again) - nobody in Thunderbird support will be interested in answering questions about Firefox. If you are dead set at getting an answer (about Firefox and Chrome) then please post to the firefox help https://support.mozilla.org/en-US/questions/new/desktop
Modified by Wayne Mery