
Thunderbird 60.0 release - vivagn
https://www.thunderbird.net/en-US/thunderbird/60.0/releasenotes/
======
newscracker
The list of additions, changes and fixes look impressive! But I’m still
worried about Thunderbird’s future and the planned rewrite. It’s a tough
position to be in, (as if) attached at the hip to Firefox and to deal with the
obsolescence of XUL extensions and other things that come part and parcel of
using a good amount of code from Firefox.

I still believe it was a poor decision by Mozilla to cut off Thunderbird and
float it as a community supported project. It now seems partially blessed by
Mozilla, but isn’t how it was before that separation (AFAIK). The main thing
I’ve felt as a huge missed opportunity with Thunderbird has been the lack of
native Exchange calendar integration (no, none of the extensions, past and
present, are close to even the experience of using Outlook web access for this
purpose).

I’ll continue using Thunderbird for at least a few more years and will support
the project financially, but I feel Outlook web access is slowly chipping away
the need to use a desktop client in enterprise environments that are tied to
Exchange or Office/Outlook 365.

------
b_b
If you are on verions<52, just know that this update won't be shown on the
"About Thunderbird" page that checks for updates.

I was just in the same situation, and simply downloaded the installer from
their main webpage [1] (after backing up my data in my profiles folder[2] and
closing any running instances of Thunderbird), and it simply worked! I have to
say, at least on Windows, the update looks much better, feels quite
refreshing! Almost makes me want to actually check all the new emails :)

[1] = [https://www.thunderbird.net/en-US/](https://www.thunderbird.net/en-US/)
[2] = [https://support.mozilla.org/en-US/kb/profiles-where-
thunderb...](https://support.mozilla.org/en-US/kb/profiles-where-thunderbird-
stores-user-data#w_backing-up-a-profile)

~~~
russdill
Also a bit curious on this, Debian and Ubuntu have been on 52 for a long time
now.

~~~
b_b
Yeah, unfortunately I don't have Linux (only WSL but I doubt that would really
compare since I don't use the GUI environments avilable), so I don't know
whether upgrading like this will be safe. I'd personally wait until they the
repository developers bring it in, since there's no guarantee of what might
happen.

------
RobertRoberts
> _Thunderbird version 60 is currently only offered as direct download from
> thunderbird.net and not as upgrade from Thunderbird version 52 or earlier._

Anyone have any idea about this affects Linux? I am using Mint, and in the
past the suggestion has always been "update through your repository" not with
a download...

Is it different this time for some reason?

~~~
nine_k
I suppose distros haven't packaged it yet.

~~~
RobertRoberts
Sure, that is par for the course... normally. But I've never been told. "Don't
upgrade from version X to version Y" before, which is why I am asking if I
need to do something different this time. (ie, not wait for distro update,
because none will be coming...??)

~~~
zerocrates
I think it's just saying it won't come up in Thunderbird's own internal
updater for now.

This shouldn't affect you if you've been installing/updating from a package
manager.

------
bberenberg
Something overlooked, but which I have a lot of respect for is properly
incrementing version numbers. It's rare to see semantic versioning properly
work. Good job TB team.

~~~
fermuch
What do you mean? Doesn't the jump go from 52 to 60?

~~~
earenndil
I think that refers to the version of firefox/gecko that underlies it.

------
Tharkun
I hope this will finally fix the "XML Parsing Error: Undefined entity"-bug
that's been present for nearly a year now. Last I heard RedHat and the
Thunderbird team were still bickering over whose bug it was or whether it was
a packaging issue. It doesn't seem to be listed in the changelog, so I guess I
shouldn't hold my breath.

------
AdmiralAsshat
> FIDO U2F support

Sweet, although IIRC several of the email providers with 2FA (Gmail and
Outlook come to mind) have the option of providing app-passwords instead,
which bypass the need for a 2FA token.

~~~
octosphere
Just so you know, an app password downgrades the security of your 2FA+Password
pairing, and I never use app paswords because of that. If it was somehow
possible to intercept the password used in the IMAP handshake, then that means
access to your inbox without 2FA. This is why I am a huge fan of web-based
clients and not things like Thunderbird.

~~~
jcranmer
IMAP authentication is done within SSL, so you'd have to start with an SSL
MITM to be able to access the password login anyways. If you're scared about
people having access to that, there are quite a few password authentication
schemes baked into IMAP that don't leak your password over the network (SCRAM-
SHA-256, anybody?). That said, all IMAP servers in practice implement only
plaintext auth, or maybe NTLM and Kerberos.

~~~
Borealid
Or a brute-force attack guesses your app password.

One of the major benefits of TOTP is that you have only a certain time window
(usually, 30 seconds) to guess a password before the thing you're trying to
guess changes and you have to start over.

With HOTP, you only get one guess before the goalposts move. The downside is
that it's more vulnerable to DoS attacks when configured that way.

An app password has no brute-force resistance, so it lowers the security of
your otherwise-2FA account overall.

~~~
CyberShadow
> One of the major benefits of TOTP is that you have only a certain time
> window (usually, 30 seconds) to guess a password before the thing you're
> trying to guess changes and you have to start over.

This is, again, wrong. Guessing a 6-digit number will take, on average,
500,000 tries; if the answer changes with each guess, it will take only twice
as much (same as when picking random guesses instead of iterating through all
possibilities in order).

In fact, you might as well try "000,000" over and over every said 30 seconds,
and your guess will eventually be correct after about the above-mentioned
500,000 tries.

[https://run.dlang.io/is/0A467x](https://run.dlang.io/is/0A467x)

~~~
Borealid
I don't think you've understood what has to be guessed. It's not the OTP
alone; it's the OTP and the password, together.

If the OTP "000000" is correct with 50% probability after 500,000 attempts,
you've just increased the number of attacks necessary to brute-force a
password against a live server by (conservatively) 50,000,000%.

~~~
CyberShadow
Sorry, that part I understood. Your comment said something else. There are no
moving goalposts, at least not in a way that matters.

~~~
Borealid
If you are attempting a brute force attack against a particular password, you
either need to know a single OTP and complete the attack before it changes
("the goalposts move"), or try every password with every possible OTP, or
compromise the OTP secret.

~~~
CyberShadow
Yes, that's the part that's wrong/misleading (or at least one interpretation
of it). See my earlier comment.

~~~
Borealid
Let's describe the attack in detail.

You know:

\- A username

In order to gain access to this system, you must supply:

\- A username \- The corresponding password \- A TOTP code valid for the time
you make the attempt

If any piece of information you give the server is wrong, you get an "auth
failed" message which reveals nothing about which part(s) you got wrong. It is
an oracle which answers only "yes" or "no".

Assuming you can guess (ask the oracle) once per second, that there are 52^8
possible passwords and 10^6 possible OTPs, and that every thirty seconds the
valid OTP shifts to a new totally random value within the valid range,
estimate the number of guesses necessary to find (with 50% probability) the
correct combination of information. Now repeat the exercise, with the changed
situational parameter that you no longer need to supply a correct TOTP.

I think you will find that the estimated time to crack is increased by much,
much, much more than a factor of two by having the OTP. I would be interested
to see any alternate answer and the reasoning behind the same.

~~~
CyberShadow
Assuming the attacker has neither the password nor the OTP seed and must
brute-force both (which is what 2FA is all about), the OTP doesn't add more
security than the bits it has (about 20 for a 6-digit decimal number), plus
the 1 bit because it's not constant. For this reason, I think it's misleading
to say that there are moving goalposts or such. Neither the entire attack nor
any part of it must be completed within 30 seconds or whatever the refresh
interval is of the OTP token. Cracking both is still a classic brute-force
attack.

------
15DCFA8F
Anyone knows how to convert all mbox mailboxes to maildir? Just enabled
"mail.store_conversion_enabled" but can't see any UI do make the conversion.

Update: found here -
[http://forums.mozillazine.org/viewtopic.php?f=29&t=3039509](http://forums.mozillazine.org/viewtopic.php?f=29&t=3039509)

------
SmellyGeekBoy
I downloaded this while it was in beta to see whether they'd fixed the scaling
issues with mixed DPI setups in XWayland, or better yet, moved to native
Wayland. Alas, this is not the case.

~~~
dgllghr
Firefox hasn't been ported to wayland, yet. So I wouldn't hold my breath for
thunderbird

------
hs86
Thunderbird is a great email client but I don't trust it when it comes to
calendars and contacts.

Syncing with CalDAV/CardDAV or Google Calendar/Contacts has always been
problematic and apparently this is the very first version where you can edit
single entries of an recurring calendar event. This does not help in building
confidence in Thunderbird as a PIM.

~~~
smsm42
Yep, same experience. I use Thunderbird for many years, and tried to migrate
my calendar workflow to it many times, and it just does not work. I really
like it as an email client, and I'd like to use it as scheduling tool too, but
currently it's way too clunky to be of any practical use. Sync issues, UI
issues, all kinds of issues. Hopefully they'd get their act together sometime.

------
starik36
I was hoping that Thunderbird would become a unified desktop equivalent of
Mail/Calendar/ToDo of the apps we have on the mobile that can handle all the
major providers (exchange, gmail, icloud, yahoo, pop, imap, etc...).

But it doesn't support a good chunk of these, which makes it difficult to
adopt in my life.

~~~
grawlinson
I'm hoping that addons will spring up due to the renewed development efforts.
As it is, I'm just using Nextcloud (Calendar & Contacts) alongside Rainloop
for mail.

------
nickserv
Looks good but not seeing too many performance improvements unfortunately.

Which is a shame, I much prefer Thunderbird to Kmail UI wise, but when
processing thousands of messages (deleting, moving, filtering, etc) it slows
to a crawl then freezes. Kmail stays responsive.

This on 16 core 32 GB machine. But it doesn't look like the cores are used
very effectively by TB as opposed to Kmail.

For normal usage though it's great. Maybe the next release will focus on
performance optimization, in particular multicore.

------
phyzome
I currently have Thunderbird installed from apt but pinned to an ancient
version that allows Lightning (the calendar tool) to work. (Newer versions
broke Lightning on Linux, although I can't recall the failure mode.) Maybe
I'll try out Thunderbird 60 on my work computer to see if it works better
now...

It's funny, I actually only use Thunderbird for its calendar these days, not
for email.

~~~
inanutshellus
I vaguely recall a point when Lightning wasn't working but that has been
aaaaaaaages. It has been working fine for years on Linux.

~~~
dotancohen
I can confirm that Thunderbird and Lightning work fine on a CentOS 7 desktop.
I use them every day.

------
WalterGR
Does anyone know the last Thunderbird nightly build that's okay to use if you
don't want all your extensions to be disabled?

------
Alir3z4
Excellent work! I've been using Thundirbird for years now and enjoy all its
features.

The only thing that it lacks is the native support of Tray, I just use the
discontinued extension FireTray.

Anyway, just checked the new version and installed it, it looks fresh and
nice, great job!

------
seanalltogether
Has anyone had trouble accessing gmail from thunderbird in the last few weeks?
Both my work and personal accounts have been intermittently syncing and I have
no idea if this is a thunderbird problem or something i have to change in my
gmail settings.

------
Sniffnoy
Anybody know if the line-wrapping has been fixed? In either this version or
anything since <checks what I have> 52.9.1? The messed-up line-wrapping and
quoting is easily my biggest problem with Thunderbird.

------
8bitsrule
If you have any add-ons that you like a lot, better check into whether they're
compatible with TB60. (I was glad I had backups after I tried it.)

------
grandinj
wow, that is nice, go thunderbird!

------
brightball
Great news! I wonder when it will make it into the Ubuntu repos?

------
elorant
Gee I'm still on version 11. I tried updating once, got a ton of useless crap
like calendars and shit and reverted back. Email is one of the few things that
I want something very basic and crude.

~~~
verbatim
If you're using Thunderbird 11, you are using a mail client full of security
issues.

[https://www.mozilla.org/en-US/security/known-
vulnerabilities...](https://www.mozilla.org/en-US/security/known-
vulnerabilities/thunderbird/)

