Closed Bug 1261705 Opened 8 years ago Closed 8 years ago

Thunderbird bypasses password protection. Master Password does not prevent reading mail.

Categories

(Thunderbird :: Mail Window Front End, defect)

Product:
Thunderbird
Component:
Mail Window Front End
Version:
38 Branch
Platform:
x86_64
Windows 10
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 318697

People

(Reporter: zipsplace, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0
Build ID: 20160315153207

Steps to reproduce:

Start PC (Windows 10; aka Big Bro 10) . Click on Thunderbird to start up. My PC does not have an automatic connection to the WIFI - I have two WIFI adapters. This time it did try to connect to my OBDII-WIFI connection.


Actual results:

Thunderbird opened - but never prompted me for my Master Password (which it should be doing and would if I auto connected to internet.)  - I can open and read emails I can write too ; it will ask me for the password if I click send.


Expected results:

Thunderbird should have asked me for my Master Password before allowing me to do anything - like it used to do.  I am using Thunderbird 38.7.1, Windows 10 64 Bit Home
Severity: normal → critical
Keywords: access, sec-high
OS: Unspecified → Windows 10
Priority: -- → P1
Hardware: Unspecified → x86_64
"like it used to do" - do you have a specific version of Thunderbird that you can confirm works differently for you?

I'm also confused about the discussion of Wifi adapters. Thunderbird has nothing to do with connecting to the internet via wifi adapters. The master password is used to control communication to email servers, assuming that an internet connection has been setup by the operating system. I would expect a master password prompt when you attempt to connect to a server to download new emails or send a new one, but not when you are simply reading local already-downloaded emails.

So nothing you have written so far convinces me that Thunderbird is not working as expected.
What you describe is bug 318697.  You can see by the many duplicates to bug 318697  that it is a common misconception that master password protect downloaded mail.  The main purpose of the master is to protect saved passwords.
Group: mail-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Keywords: access, sec-high
Priority: P1 → --
Resolution: --- → DUPLICATE
Summary: Thunderbird bypasses password protection → Thunderbird bypasses password protection. Master Password does not prevent reading mail.
(In reply to Kent James (:rkent) from comment #1)
> "like it used to do" - do you have a specific version of Thunderbird that
> you can confirm works differently for you?
> 
> I'm also confused about the discussion of Wifi adapters. Thunderbird has
> nothing to do with connecting to the internet via wifi adapters. The master
> password is used to control communication to email servers, assuming that an
> internet connection has been setup by the operating system. I would expect a
> master password prompt when you attempt to connect to a server to download
> new emails or send a new one, but not when you are simply reading local
> already-downloaded emails.
> 
> So nothing you have written so far convinces me that Thunderbird is not
> working as expected.

I understand the WIFI adapters has nothing to do with TBird; However it is relevant to the bug condition and the steps that recreate it. If my WIFI adapter connects automatically to my router and thus the internet - TBird opens and the first thing I see is the Password Required Window : Please enter the master password for the Software Security Device ; where I must enter my Password. If my Wifi is NOT connected - then when I open TBird it does not bother me with that screen at all - it could care less.
(In reply to Wayne Mery (:wsmwk, use Needinfo for questions) from comment #2)
> What you describe is bug 318697.  You can see by the many duplicates to bug
> 318697  that it is a common misconception that master password protect
> downloaded mail.  The main purpose of the master is to protect saved
> passwords.
> 
> *** This bug has been marked as a duplicate of bug 318697 ***
Then it sure behaves funny - TBird opens and I get (as long as my wifi is connected) the Password Required window. I can not do anything at all when that window is open unless I enter the password as it requests: "Please enter the master password for the Software Security Device"
It actually locks out any other task. So if it is not meant as a security password for Thunderbird - but only the Password manager - I do not think I should be bothered with the nag screen asking me to enter the Master Password every time .. unless I am managing the passwords.
I would like to say given the links and the links in those links ; that the flaw is that if this is simply to protect my account passwords - then I should never be prompted for this unless I am managing those passwords. Otherwise the operation behaves as a poorly instituted security; and thus all of those duplicate bug reports over the years (as I looked at the links) etc.. considering the operation seems to be as you are saying - then the implementation should be changed - as per Wayne's comment - it is a common misconception... 
It would not be a misconception if the operation of it behaved in practice as you have described. Just manage my account passwords .. don't prompt me for the master unless I am managing those account passwords that are stored. Then everybody under the sun will know that is all it is for. [Of course be prepared for the onslaught of people who claim their Thunderbird no longer asks for the Master Password when opening TBird. 
Given the number of duplicates through the threads and the number of reports and the number of individuals who would actually take time to write a bug report.. In my opinion the behavior in this case then is obviously incorrect.
You need to log in before you can comment on or make changes to this bug.