Closed Bug 1678882 Opened 4 years ago Closed 4 years ago

SSL still present in settings of Thunderbird 78? If not, change string "SSL/TLS" to "TLS" for clarity!

Categories

(Thunderbird :: Account Manager, defect)

Product:
Thunderbird
Component:
Account Manager
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: bugzil.la, Unassigned)

Details

Attachments

(2 files)

drop-ssl..jpg
67.81 KB, image/jpeg
Details
Screenshot 1: SSL3 preferences in TB 78?
41.37 KB, image/png
Details
Attached image drop-ssl..jpg

User Agent: Mozilla/5.0 (Windows NT 6.3; rv:78.0) Gecko/20100101 Firefox/78.0

Steps to reproduce:

The TB 78.5.0ESR (up to date client) still in configuration offers "SSL/TLS". The SSL in last version is very dangerous protocol and TB 78.5.0 should not have option SSL/TSL. The option should be replaced with "TLS only" or "TLS" and should

Actual results:

Presenting in settings SSL is very disgusting thing. SSL shall be kicked from this client forever. The TLS/1.1 and TLS/1.0 should be available only after STRONG WARNING showed the user "TLS/1.1 and TLS/1.0 is broken and dangerous. Please contact your e-mail provider if your provider doesn't implement TLS/1.2 or TLS/1.3. Do you want to continue at your own risk? [Tys] [No]".

Expected results:

Available options (look at attached picture):
"None (dangerous)", "TLS", "STARTTLS". The "SSL/TLS" should be not available!
Additionally if user will choose "None" (without ciphering) the "dangerous" word should be shown. Users may not know what their provider is telling them to type. Users are often non-technical. Drop the SSL, warn users what the settings do!

I cannot edit, please change "[Tys] [No]" to "[Yes] [No]" in my text.

Change:
«The option should be replaced with "TLS only" or "TLS" and should»
to:
«The option should be replaced with "TLS only" or "TLS".»

BTW. Providers know how to blame their customers. My provider made me choose "without ciphering" or "SSL" instead of "STARTTLS" or use a different client because "Thunderbird works bad". I had to convince them all day that the error was on their side because Thunderbird doesn't allow dangerous protocols in STARTTLS mode. The client should display a message that the server we are connecting to is unsafe, so that a non-technical user can show the message to the provider.

Although it says SSL/TLS, by default Thunderbird is configured to allow only TLS 1.2 or higher. If you want to set a lower version, there's no GUI for it, so also no warning, but you have to go to options and the Config Editor and change security.tls.version.min to 1 or 2...

@nONoNonO NO, drop the SSL (also in menus)! If Thunderbird accepts only TLS/1.2, this option should be named "TLS" not "SSL/TLS" thus my bug report is still correct. The "SSL/TLS" is misinformation if Thunderbird accepts only TLS. The option should no longer named "SSL/TLS".

"UI" not "security" "Component" should be selected?

Flags: needinfo?(o.e.ekker)

Thunderbird does not only accept TLS/1.2, it can be configured to also allow SSL. Also the term SSL is still more widely known as TLS (especially for certificates), and according to Wikipedia SSL was developed by Netscape and only renamed to TLS so save Microsoft's face *), which is for me an extra reason to keep SSL in the string. Anyway, it's not up to me, but up to the developers or module owner.

*) https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.0

Flags: needinfo?(o.e.ekker)

(In reply to Onno Ekker [:nONoNonO UTC+1] from comment #4)

Thunderbird does not only accept TLS/1.2, it can be configured to also allow SSL.

If Thunderbird can still be configured to allow a security protocol whose latest version was deprecated 5 years back in 2015 (SSL 3.0, published 1996, Deprecated in 2015 (RFC 7568)), please file that as a bug.

Also the term SSL is still more widely known as TLS (especially for certificates), and according to Wikipedia SSL was developed by Netscape and only renamed to TLS so save Microsoft's face *), which is for me an extra reason to keep SSL in the string. Anyway, it's not up to me, but up to the developers or module owner.

*) https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.0

Yeah, but we can't change the course of history and the official name is now TLS, and all of the SSL protocols are deprecated long back, so I'd agree with reporter that this is highly confusing because the UI actually signals that we still allow SSL, which we certainly do not by default (and hopefully there's no way to go round that; strangely, plenty of ssl3 preferences seen in about:config... :-/ ).

Severity: -- → S4
Status: UNCONFIRMED → NEW
Component: Security → Account Manager
Ever confirmed: true
Summary: SSL still present in settings of Thunderbird 78? → SSL still present in settings of Thunderbird 78? If not, change string "SSL/TLS" to "TLS" for clarity!

Here's a partial screenshot of preferences found in about:config for search word "SSL".
Strangely, lots of SSL3 preferences...?

Magnus, can you clarify:

  • Does the presence of SSL3 preferences mean that TB does still use SSL3 somewhere? (I do realize that we claim to demand TLS 1.2 which is a much newer version, so that would exclude SSL3, but then - why these prefs?)
  • Is there any way using non-default preferences for users to enable deprecated SSL (sic) other than TLS?
Flags: needinfo?(mkmelin+mozilla)

Those prefs are just settings from NSS. Likely yes affecting things if you enable SSL 3.0, which you can by setting security.tls.version.min 0.
Like it or not (well, not), some servers haven't been updated. If users want to enable it, it's up to them really.

Flags: needinfo?(mkmelin+mozilla)

Since SSL is so much used as a name still, I think we should keep the SSL/TLS label for some time still. Many instructions out there will tell you to "choose SSL" and then people couldn't figure it out otherwise.

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WONTFIX

I think this need to be revisited after handling a support request involving Namecheap where the port used did not connect because the user selected the port for SSL, which was disabled by default. There is no use feedback in the setup process that you are choosing to use only TLS.

The instructions from Namecheap actually use different ports for SSL and TLS. https://www.namecheap.com/support/knowledgebase/article.aspx/1179/2175/general-private-email-configuration-for-mail-clients-and-mobile-devices/.

I have been listening to discussions about modernising the user interface, how about we just stop with the ancient references that have been disabled for close to a decade. Perhaps just change the connection security to "encrypted" and place some information text beside the entries that encryption will include TTLs and SSL if it is enabled (I would prefer no reference to SSL at all unless it is already enabled in preferences)

Your thoughts Wayne?

Flags: needinfo?(vseerror)

There are two kind of settings: A) SSL/TLS and B) STARTTLS. These are different and must not be confused.
Both use TLS security in the end, but #B does connection security upgrade first, so it will use a different port.
The names that we have are correct, and widely used elsewhere.

You misunderstood: they do not use different ports for SSL and TLS. Namecheap seems to refer to #B as "TLS/STARTTLS", which is confusing.

Flags: needinfo?(vseerror)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: