
Security warning for Thunderbird users and Enigmail users - doener
https://posteo.de/en/blog/security-warning-for-thunderbird-users-and-enigmail-users-vulnerabilities-threaten-confidentiality-of-communication
======
userbinator
_The add-on architecture of Thunderbird allows an attacker to obtain your
email communication through compromised add-ons. The add-ons are
insufficiently separated and have access to the content in Thunderbird._

IMHO that's a _feature_ , not a bug, and the reason why add-ons are so useful.
One only has to look at the situation around the capabilities (or lack
thereof) of the new Firefox extensions model to see why.

There's a memorable saying which I get reminded of every time I read things
like this: "the security people will not be satisfied until everyone has been
put into prison."

------
gojomo
This write-up takes a while to get to the point for Thunderbird users, which
is:

* Thunderbird add-ons aren't well-sandboxed, so a vulnerable or malicious add-on can access your mail and even private keys

* an as-yet-fully-specified bug in Thunderbird RSS feed handling allows RSS feeds to access "communications and other sensitive data"

I'm not sure how many Thunderbird users are dependent on add-ons – so simply
disabling most/all add-ons may be an acceptable mitigation for the 1st matter.

But for the vaguely-described RSS bug, their only suggestion is: "Do not use
RSS feeds in Thunderbird for now. There are critical security problems,
threatening your entire communication."

~~~
cJ0th
>But for the vaguely-described RSS bug, their only suggestion is: "Do not use
RSS feeds in Thunderbird for now. There are critical security problems,
threatening your entire communication."

yeah, does any one know what this bug is about? I'd like to keep reading my
feeds while I am waiting for a fix. Based on their vague description I can't
deduce the likelihood that this bug is going to harm me.

------
fencepost
Maybe I'm strange, but I've always regarded browser or email add-
ons/extensions as likely to have the same level of system access as the
program they're running in. You're running a program in a scriptable
environment, it's no different than complaining that shell scripts can do
terrible things to your system.

I applaud them for finding the actual bugs though, and hopefully those will be
addressed promptly.

That said, what decent mail clients still exist? It seems like it's all
webmail, phones, Outlook, or Thunderbird (which has had its own spate of "does
it have a future").

~~~
slrz
There's always Mutt, of course. Easily beats the ones you listed, especially
when handling larger volumes of mail. Development picked up some steam again
in recent years, with forks like mutt-kz[1] (now deprecated and folded into
neomutt[2]) integrating awesome search functionality.

Claws Mail has some fans, too, and might be more accessible to Thunderbird
users.

[1] [https://github.com/karelzak/mutt-kz](https://github.com/karelzak/mutt-kz)
[2] [https://www.neomutt.org](https://www.neomutt.org)

