570011 - Thunderbird doesn't detect when TLS renegotiation is disabled

Status: RESOLVED DUPLICATE of bug 549641

(Thunderbird :: Security, defect)

Description

[Eric Moore]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.4) Gecko/20100526 Thunderbird/3.1

Thunderbird 3.1RC1 reports in the error console: 

mail.messagingengine.com : potentially vulnerable to CVE-2009-3555 

This is the SSL/TLS renegotiation vulnerability that was used to steal usernames / passwords from Twitter. mail.messagingengine.com is the mail server (its actually a proxy) provided by Fastmail.fm. Thunderbird doesn't report this vulnerability for Gmail or Google Apps but does for Fastmail, Aim, Gmx.com and Hotmail. I assume this means Gmail implements RFC 5746 and NSS detected that. However, according to the Fastmail.fm weblog at http://blog.fastmail.fm/2009/11/18/ssl-security-updated/ they configured the mail servers to disable SSL renegotiation.

Technically, the message only said it was "potentially vulnerable". However, if these types of security messages are going to be useful to the user it should be thorough enough to test if SSL renegotiation was disabled. Otherwise its just security theater. Especially if more email providers decide to fix the problem the way Fastmail did (reconfigure their services) rather than by adding new features (supporting RFC 5746)

See http://getsatisfaction.com/mozilla_messaging/topics/3_1rc1_reports_tls_vulnerability_cve_2009_3555 for some more information. Supposedly any Mozilla application that uses NSS 3.12.6 or higher would do the same thing.

As an aside, are Mozilla applications that support SSL/TLS expected to support the settings in https://wiki.mozilla.org/Security:Renegotiation or is that meant just for Firefox? The reason I ask is if security.ssl.treat_unsafe_negotiation_as_broken is set true the application is supposed to display a visual indication to the user such as a red/broken padlock if the problem occurs. If it is, and its Thunderbird's responsibility to implement that (not NSS's) please let me know and I'll write a separate bug report on that.

Reproducible: Always

Comment 1

[rsx11m]

Ben, I've noticed that trunk and 1.9.2 versions of HandshakeCallback() in nsNSSCallbacks.cpp (that's where the message is generated) are different due
to bug 549641 which you filed. It appears to me though that this was just for introducing a pref to suppress the warning, or am I missing something?

Comment 2

[Ben Bucksch (:BenB)]

Yes, this is basically a DUP. The bug I filed was complaining about exactly the same thing: The msg in the error console appears even though TLS renegotiation is disabled. My bug has people explaining that the client cannot know whether TLS renego was disabled on the server, unless the server also implements RFC 5746, therefore the msg is claimed to be "technically correct" (as reporter here says as well), but cannot reasonably be improved either.

Either way, the fix for FF and TB is the same, because the code is in NSS, so it's a DUP in that respect, too.