User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8) Gecko/20051111 Firefox/1.5 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8) Gecko/20051111 Firefox/1.5 When starting thunderbird my password for retrieving new mail is asked. When I push the 'cancel'-button I (and everyone else) can acces and read my already downloaded e-mails. The program should NOT start up if this password is incorrect !! Reproducible: Always Actual Results: When cancelling the program starts up and I (and everyone else) can acces already downloaded e-mails. Expected Results: Program should not start up.
the password is for the mail server only and not the Thunderbird application. There is currently no password protection for starting up TB.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → INVALID
Assignee: mscott → nobody
Component: General → Security
QA Contact: general → thunderbird
Whiteboard: See also bug 16489, bug 35308 → See also bug 16489, bug 35308 [duptome]
Wrong. The Master Password is NOT 'for the mail server', it is essentially a way to protect sensitive account settings (ie, you can't get into the saved passwords without it) - and imnsho, this is most *definitely* a bug, if it allows offline messages to be read.
And obviously, by the number of duplicate bugs being opened, this is a problem for a *lot* of people. The number of people who actually *want* to report a bug is exponentially greater (by how many factors?) than the number of people who actually take the time to do so. Please REOPEN this bug and FIX it.
I agree. This is a design bug. The concept of a password implies some sort of user controlled protection of sensitive data. The login to a mail server is a password mechanism that protects access to the account's mail. What's the point of the master password if you're going to be able to get to the mail anyway by pressing a cancel button? The bug here is an illusion of security and it does need to be fixed.
Actually, I mis-read this - I agree with Ray that the *account* password should not block opening TB and working with existing mail. I thought the OP was talking about the Master Password.
The basic problem seems to be a lack of clear understanding of what password security is provided, and how it works. There is currently only one level of protection - account passwords. There could usefully be another level of protection on locally stored email, but that is a slightly different topic. If you are dealing with a POP account, you should (absent protection for local data) see the downloaded email, but not anything at all to do with email still on the POP server until the password is given. With an IMAP account, with email stored on the server, you should see absolutely nothing until the account password is given. In fact, you do see information (subject, sender, date etc) of previously seen email, which I really think should NOT be displayed until the password has been given. If an IMAP account has been "synced" locally, its in the same class as downloaded POP messages. I would like to see local content protected, but that doesn't seem to have been a design option so lets just leave that as a "would be nice to have". However, displaying information on previously seen IMAP messages is an issue. Yes, its not the entire message, but subject, sender etc. may well be sensitive.
What I have found afte the upgrade to ver 3.0.3 is that I get a number of pop up menus requesting the 'Master Password'. It use to appear only once at start up, now I can't turn it off and it continues to 'Pop-up' every 15mins or so.
Confirmed. I get 2 password prompts now.
confirmed. I get 2 password prompts now for the "master password". I'm using TB 3.0.4.
I guess this is bug 177175? There is an extension to provide a workaround until it is fixed: https://addons.mozilla.org/en-US/thunderbird/addon/9808
When you open Thunderbird (3.0.4), I also receive two prompts asking the master password. If I type the first and cancel the second, Thunderbird ignores the master password and asks all the passwords of my email accounts. If I cancel the first and the second type, Thunderbird considers the master password and does not request the passwords individually. This problem was not found in version 2 of Thunderbird.
This is the theme - Bug 318697 - Password protection when starting thunderbird. Let's don't distract. This is a big problem - everybody can read your email. When Mozilla Developers begin read this articles and really begin security improvement.
Fully agree with comment 29: TB's credibility is at stake if it's possible to protect one's email (local and POP) in a simple way!
The Main Password dialogue say this: The main password is used to protect critical information as site password, it will be required once for each session when thunderbird should retrieve protected information. The same dialogue add this: warning do not forget your password. If you forgot your password it will be not possible to access protected information. From my point of view Configration settings likke account information, Local folder and so on must be protected. If the application cannot grant this minimal security setting this password has no meaning. The connection for each single email server can be simply not stored to prevent application to access directly.
As the BIOS Core has the master password of the security in main platform it also should have the dependency on the password stored in. Thunderbird is the program. It also has the same thing. So the problem isn't solved, it should be. As it it the problem in some ways. As a user i use email client on different platforms and the client of freeware can not contain any of the security issues that can be harmfull to the HOME Desktop user privacy.
So has the design / development team decided to fix this or have they put their respective heads in the sand and taken the this is a "FEECHUR" attitude? So the data that sits behind my Thunderbird Ebail client (regardless of source (POP / POP3 / IMAP / DRAFT ....) is completely exposed. And all this time I was under the misguided belief the Mozilla Products were designed with security conciseness. Have you tried to use something called Lotus Notes? It asks for a userid / password and and failing to correctly authenticate prevents you from getting to the mail through the client. So then someone says, Ok, so the client doesn't start up we're secure!!! WRONG... next the data needs to be encrypted. Just the password and preventing the client from starting up doesn't quite do it. For the user to be really safe, the data sitting behind the client needs to be strongly encrypted. But, the first order of business is for this is to fix the bloody start up password problems. Are you guys going to change the status of this bug to VALID or what? Come on now.... turn your head and cough while we lift this area here!!!
All Thunderbird users (or at least most of them) agreed the need of a password that grant/prevent the starting up of the application. You continue to joke with semantic but the problem remain. Call it Bug, or new feature or in any other way you prefer, but at the and provide a solution. I agree with Barney (comment 41) the storage encryption is important but it is a secondary problem. If the application does not start nobody can identify where the information are stored, or read configuration setting, read the local emails and access to all the configured mailboxes... Many application start with this first level of security, because it is very simple to implement, so please think about it.
There are several password requirements if you think about it. These were listed in the bug report that I opened, which was rejected as being duplicate of this one -- which it was not. What is required (IMHO) for a secure email client (ignoring data encryption for the moment, just looking at password protection): 1) A password to access any stored information, including subject headers, sender etc. Optionally, this can be used as a master password to allow access to all of the configured email accounts, or a subset, as defined by the user. 2) A password for each email account. Again, no information displayed until this password is given. It would be convenient if this password were the password used to authenticate to the email server associated with the account. 3) The ability to lock individual accounts, removing all visible email information and requiring the password to be given again to access the account. I know this is exactly the opposite of what the developers envisage, which is trying to merge several email accounts into a single view, but reality is, in the real business (and private life) world, allowing information from alternat email accounts to be visible by default is a BIG problem. Please address this bug. It is NOT "INVALID" - only in your minds.
(In reply to comment #42) > All Thunderbird users (or at least most of them) agreed the need of a password > that grant/prevent the starting up of the application. You make this assumption based on what? > I agree with Barney (comment 41) the storage encryption is important but it is > a secondary problem. IMHO, it's not. > If the application does not start nobody can identify where the information are > stored, or read configuration setting, read the local emails and access to all > the configured mailboxes... Incorrect. > Many application start with this first level of security, because it is very > simple to implement, so please think about it. False security is no security. (In reply to comment #43) > What is required (IMHO) for a secure email client (ignoring data encryption for > the moment, just looking at password protection): If by 'password protection' you mean the protection of passwords, TB does already offer that in the form of the master password.
(In reply to comment #44) > (In reply to comment #42) > > All Thunderbird users (or at least most of them) agreed the need of a password > > that grant/prevent the starting up of the application. > > You make this assumption based on what? Based on the number of bug submitted and reclosed as duplicated, based on internet forum and other sources. based on what you stated that it is not true? > > > I agree with Barney (comment 41) the storage encryption is important but it is > > a secondary problem. > > IMHO, it's not. It is a secondary step, first of all grant the access to application based on password, after that we may discuss everything > > > If the application does not start nobody can identify where the information are > > stored, or read configuration setting, read the local emails and access to all > > the configured mailboxes... > > Incorrect. So the configuration information are store in textplain in the registry or in something like textual file? The configuration grant the possibility to modify the local storage, and once modified as you stated the master password should grant that nobody should be able to read this configuration (or also this security does not work as should)? > > > Many application start with this first level of security, because it is very > > simple to implement, so please think about it. > > False security is no security. I agree this, but nothing is even worst than this > > (In reply to comment #43) > > What is required (IMHO) for a secure email client (ignoring data encryption for > > the moment, just looking at password protection): > > If by 'password protection' you mean the protection of passwords, TB does > already offer that in the form of the master password. It is not what we all are requiring There is none so dull as those who do not want to hear!!!
(In reply to comment #45) > So the configuration information are store in textplain in the registry or in > something like textual file? If it's stored unencrypted it can be readout without much effort. If an application makes it possible to display in a human-readable format it does not matter how it handled in the lower layers. But let's say it was stored in plain text, would you then be advocating the usage of obscuring mechanism just for the illusion of security? By this you would be in favor of security through obscurity which is a Very Bad Thing™. > > False security is no security. > I agree this, but nothing is even worst than this A false sense of security is better than a right sense of insecurity? This might be debatable, like the usage of halluzinogenes, believing the propaganda of a repressive goverment or whether to stay in the Matrix. When the user is aware of his e-mail data being unencrypted he knows it is a sensitive thing and should be treated as such. If TB were to 'trick' the user into thinking his profile data is secure by adding such a password promt, the user might for example assume it's safe to share the partition where it is stored. > There is none so dull as those who do not want to hear!!! Very true, Roberto.
Yes, really YOU do not want to hear. Continue to joke, but next? You are going to do something or nothing at all? TB must continue to stay without ANY security like now? Good for you that are happy in this way I do not want to loose my time explaining that TB need to add more security Security of all sense starting from the basical request 'till the more complex security The TB main password is not usefull for us, but is usefull just for your opinion. There is a path that you may suggest to obtain this "feature"? Or the unique solution is to use a different client (like Windows Live Mail or other anyway free) ? Or we may expect something? thanks (In reply to comment #46) > (In reply to comment #45) > > So the configuration information are store in textplain in the registry or in > > something like textual file? > > If it's stored unencrypted it can be readout without much effort. If an > application makes it possible to display in a human-readable format it does not > matter how it handled in the lower layers. > > But let's say it was stored in plain text, would you then be advocating the > usage of obscuring mechanism just for the illusion of security? By this you > would be in favor of security through obscurity which is a Very Bad Thing™. > > > > False security is no security. > > I agree this, but nothing is even worst than this > > A false sense of security is better than a right sense of insecurity? > > This might be debatable, like the usage of halluzinogenes, believing the > propaganda of a repressive goverment or whether to stay in the Matrix. > > When the user is aware of his e-mail data being unencrypted he knows it is a > sensitive thing and should be treated as such. If TB were to 'trick' the user > into thinking his profile data is secure by adding such a password promt, the > user might for example assume it's safe to share the partition where it is > stored. > > > There is none so dull as those who do not want to hear!!! > > Very true, Roberto.
There are multiple layers of security. They can be tackled one by one. Just because one is perceived to be hard, is no reason not to start on the rest. I have said this all before, but just to repeat for those that may not have seen it: I don't believe that my job is that unusual. I do consultancy work. Typically, larger clients will have their own e-mail system that they want you to use. My employer has their own email system, sometimes I work through a different agency and they will have their own email system. Then I have my own email accounts, in fact, I have three, my own system at home, and a couple of Gmail accounts. It is important for me to keep these separate, so the unified view is actually a large pain for me, and I have to spend effort making certain it is disabled. When on-site at a customer, I will often be working in a "war-room", with people from the client as well as possibly consultants and PMs from other companies. It is often difficult to hide the screen of my laptop from the view of others. What I don't want is (for example) a customer to look over my shoulder, or me show them something in email and them see e-mail subject and header information from other email sources. Sometimes they are very touchy about finding that I may be working for a competitor -- they needn't be, thats part of the job, keeping the clients separated, and being careful with their information - but its hard to convince them of that when they can see interesting info "leaks" in the sjubject headers of another company. They also don't need to see something like: Subject: Watch Joe Blow - he is a mean SOB! <myboss@mycompany> So I need the ability to open just ONE email account, and leave the others locked. I need to be able to lock the current one and open another. I need NO information to be displayed until I ask for it. These people do not have physical access to my laptop, so the question of physical data security is not an issue (well, it is an issue, but a different issue). ------------------------- Unfortunately, I get the impression that the program manager and developers for Thunderbird think that their own usage model is the only important one, and representative of a typical user. It is not. Now, at home, on my home system, it may well make sense for me to want to store passwords for all accounts and to open them all with a single (or no) password. Its flexibility we are looking for, not a single, baked in usage model.
STOP! THIS IS NOT A DISCUSSION FORUM. THIS IS NOT THE PLACE TO ARGUE or ADVOCATE. Bugzilla bug reports, like this one, are where the developers report the technical issues they encounter during development. DISCUSSION BELONGS IN THE NEWSGROUPS.
Nelson: Bugzilla is also a place where *users*/testers can report bugs with either the latest official releases or pre-release versions of Mozilla software as well as placing (reasonable) requests for additional or improved features for said software, not just for developers to report technical issues they encounter during development. Like this request for improved password based security that keeps others from accessing email accounts and already downloaded email in Thunderbird for example. I agree that arguments and personal attacks should be strictly avoided although rather intense discussions are hardly uncommon even among developers on bugzilla reports. And valid discussions pertaining to the report subject in question certainly belong here. And please mind your caps lock as it is akin to yelling.
Kirk, advocacy does not belong in bug reports. Period. Don't presume to tell the owner of two Mozilla modules what b.m.o is and isn't.
Nelson, Mozilla provide the possibility to users to open bugs, and THIS for most of us IS a bug. Many bugs were closed as duplicated of this one, that was already placed is in the status "RESOLVED invalid". For most of us do not agreed with the status nor with the provided explanation. I asked also to provide a different path to discuss about it but I did no received an answer. My opinion is that the problem discussed here is a simple bug, and for this reason I think that here we should wait the final answer NOTE: The status RESOLVED INVALID ISSUE cannot be acceptable (this bug is not solved and is the indication invalid is not appropriate) If TB do not want to develop this kind of solution OK, but put the status of CLOSED with the explanation "Feature that TB team decide to not provide", even if no users agree. The "main password" provided for us is useless (In reply to comment #49) > STOP! THIS IS NOT A DISCUSSION FORUM. > THIS IS NOT THE PLACE TO ARGUE or ADVOCATE. > > Bugzilla bug reports, like this one, are where the developers report > the technical issues they encounter during development. > > DISCUSSION BELONGS IN THE NEWSGROUPS.
To be completely blunt about it; this is categorically an integrity issue of the highest order. The mere aspect that TB comes up and an unauthenticated user can read the mail that's been downloaded (without respect to getting new mail) in and of itself is completely beyond comprehension why this isn't viewed as a bug. So if you don't view this as a bug, then where do we submit requirements to get this resolved?
Right or wrong and unfortunately for those who want messages to be more secure, account passwords and master passwords were never indented to be, nor cannot be mophed to the purpose of adequately protecting locally stored mail. That's a blatantly simple sentence. Thus the bug was marked INVALID in 2005. Similar issues are tracked in bug 16489, to which many thunderbird bugs have been duped. It might have been more generous to have kept this bug open as a request to improve protection or duped it to the bug that deals with that, but that was not done. For example password protection is not useful without protecting the profile from snooping, which would require Bug 98346 - Option to encrypt all personal infos. And the bugs related to 98346 are marked so. THOSE are the bugs that need to be fixed. But impassioned please isn't going to help. (you will notice Nelson already cited all the related bugs in this bug for your reference) > DISCUSSION BELONGS IN THE NEWSGROUPS. http://lmgtfy.com/?q=thunderbird+newsgroups Also, linked off of https://wiki.mozilla.org/Thunderbird is https://wiki.mozilla.org/Thunderbird/CommunicationChannels
Why do people continue to confound two different issues? There is the issue of password access to DISPLAY stored data. Then there is the issue of securely (encryption)storing that data. These are different issues.
The redicilous thing is that people see the problem and understand that this is a BUG in Thunderbird everyone understands it but for some issues that are only in people mind or in other stupid things that can be fixed, they involve in the disscussion that useless. The problem doesn't solve itself. If its a problem why developers of the Thunderbird understand but still disscuss about it? Why can't they solve it without talking?
I understand, this is not a BUG. This issue has been around for many years. Bottomline, many people here want and need a password access feature to open Thunderbird, period. Without the correct password, no one can access anything in Thunderbird. That is what a lot of us is waiting for since 2005, in the meantime, I cannot use this FREE service. Thank you.
In order to help this situation along by providing at least a partial solution to improving Thunderbird password security I've found a way to keep Thunderbird from displaying any new or local/downloaded emails in any email account set up in Thunderbird unless a master password is used at start up. This solution also forces the master password dialog at start up whether or not you actually save email account passwords in Thunderbird's Security settings.And canceling out of the master password box will *not* display or allow access to any emails on any email account until the master password dialog is again invoked by clicking on another email account folder (Inbox, Drafts, Sent, etc) and the correct master password is entered. ******************** If you are using Thunderbird on a Linux distro you have to follow two different steps. First of all, go to Edit —> Preferences —> Security —> Passwords and create your Master Password. Secondly, go to Edit —> Preferences —> Advanced —> Config Editor. Then in the filter bar, type password and change the parameter for "mail.password_protect_local_cache" (without quotes) to True. The next time you launch Thunderbird nothing will be displayed (old and new emails) before you insert the correct Master Password. If you are using Thunderbird on Windows you perform the same two steps but you have to modify "mail.password_protect_local_cache" by going to Tools —> Options —> Advanced —> Config Editor. Then, as for Linux, in the filter bar type password and change the parameter for "mail.password_protect_local_cache" (without quotes) to True ************************
Sorry, I forgot to mention that previous posters have mentioned a workaround by using STARTUP MASTER v1.3. I have used it and I can confirm that it does work. Thanks.
As a lead developer of Thunderbird I am providing a response to folks commenting on this bug. Please read the following carefully before proceeding, indeed, please realise that this is not a discussion forum, and you should use other channels if you want to discuss this further: https://wiki.mozilla.org/Thunderbird/CommunicationChannels Readers are also reminded of the bugzilla etiquette: https://bugzilla.mozilla.org/page.cgi?id=etiquette.html The master password has never been designed to protect access to a users data. It is only designed to protect access to passwords, should the security of an installation be compromised. We would not offer password protection access to a users data in Thunderbird without also doing some form of encryption on that data. To do so would be irresponsible as it could lead many users to think that their data is safe, when all it would really take is for someone to access the disk directly. Whilst we could offer encryption of data, there are existing methods that you can do today that will adequately protect your data (for example, OS level protection, data encryption tools). We therefore do not believe it is worthwhile spending time on offering encryption as this doesn't actively contribute to significantly advancing Thunderbird or the goals of Mozilla Messaging.
Resolution: INVALID → WONTFIX
Whiteboard: see comment 49 → [Read comment 60 before proceeding]
Mark Banner: Thank you for your explanation.
Whiteboard: [Read comment 60 before proceeding] → [Read comment 60 before proceeding][duptome]
Summary: Password protection when starting thunderbird → (Master) Password should protect / prevent access to mail when starting thunderbird
Thanks Kirk M i can vouch that it works, thank you so much. I was really worried about my data and felt very vulnerable. Mark Banner, could you now consider releasing future editions with this command enabled?...Though there is a minor issue....only the mail is protected but mail settings are still exposed. Am sure there can be a work around to fix this.
Having read all of the above, can I ask for the following fix, which should be easy to implement and will probably reduce the number of duplicates of this non-bug that are being filed: * Can any cached data from IMAP servers be flushed when exiting Thunderbird, please? * This will not address everybody's concerns above. However, it is compatible with the mentality that Thunderbird's master password (or indeed your mail account password) protects your access to your mail server. It is also compatible with the notion that Thunderbird does not provide encrypted/secure local storage of data. And it addresses the general point that when using IMAP, users expect their mail to be stored, securely, on a remote server (and not on the PC), and hence protected by password (whether their server password, or the Thunderbird master password).
(In reply to Haro de Grauw from comment #69) > * Can any cached data from IMAP servers be flushed when exiting Thunderbird, > please? * Such a RFE would merit its own bug. Besides, it would be a quite a challenge to do this securely, you have to keep in mind that there might be a non-clean shutdown (possibly not visible to the user) and on top of that the environment (OS) might also do some not-asked-for caching or similar things on its own (paging).
> Such a RFE would merit its own bug. Hi Baboo, thanks for replying. My reason for posting here was simply that I think this would address a large part of the security concerns that have been heatedly debated here, without calling for a total overhaul of Thunderbird's security model. > Besides, it would be a quite a challenge to do this securely, you have to > keep in mind that there might be a non-clean shutdown (possibly not visible > to the user) and on top of that the environment (OS) might also do some > not-asked-for caching or similar things on its own (paging). We'd still be lightyears ahead of the current situation, where the mail in a password-protected IMAP account is readily visible to anyone with physical access to the machine. In any case, any residuals from a non-clean shutdown should be fixed at the next (clean) shutdown, and I would expect that a PC reboot would clear any OS paged data, or at least leave it somewhere the average office worker would have a hell of a time trying to find it.
OS: Windows XP → All
Hardware: x86 → All
Summary: (Master) Password should protect / prevent access to mail when starting thunderbird → Master Password should protect / prevent access to mail when starting thunderbird
Whiteboard: [Read comment 60 before proceeding][duptome] → [Read comment 60 before proceeding][duptome][support]
While I agree the password usage according to some on this long list is a protection of the user accounts security not entirely accurate; it behaves more like a Password Vault .. not a Master Password protection or security protection. I cancel it out and I can get into the accounts settings and do what I want, like remove encryption. The whole premise of the Master Password Protection - protects the account passwords with one Password ( A Vault ). That seems to be a justifiable argument but it really does not follow the documentation. The use case is according to Mozilla at this link: https://support.mozilla.org/en-US/kb/protect-your-thunderbird-passwords-master-password "What if you share a computer, and don't want others to see your stored passwords?" "Want to prevent others from seeing your messages? If you share a computer, create a separate Windows account for each person, and make sure your Windows account requires a password. Thunderbird stores accounts, messages and password information separately for each Windows account." Ok if I am using a Shared computer and don't want others to see my stored passwords - How can they see them if I have separate login accounts ? Then if I do not have a separate Login Account , the master password needs to be entered for them too, which does not hide my passwords - so is there a purpose? Isn't the point of the password on the email account to prevent others from accessing my emails and seeing them, isn't that why if I have firstname.lastname@example.org I use a password to prevent others from seeing my emails and also from sending as if they are me? Now what does that Master Password do to prevent others from seeing my messages ? NOTHING! It only prevents others from downloading my latest messages! It behaves like a Password Vault .. not like a security component at all. 1: It fails the USE CASE as described on the Mozilla site. See the link and read it - or just read the QUOTED TEXT under the link above as it is a direct COPY PASTE. 2: It fails in the common understanding of what a password protected email account is. The general consensus and normal use case which is also defined by the Mozilla Support Website states Clearly it is to prevent others from SEEING the users messages. With regards to the confusion ... perhaps it is not confusion but EXPECTATION..the expectation that it performs according to the nomenclature and the documentation even shows that this particular functionality was not well thought out. Purpose , what is its purpose? , and does it fulfill the purpose in the use cases cited on the web page and documentation ? for me the answer is No, Expectation - what is the expectation again for me the answer here is No. While I prefer to have my emails and accounts locked out using a master password, the use case here is a misnomer; the naming convention is wrong and the documentation for it is also incorrect in that the functionality - behavior is not clearly described. Either the functionality should match the nomenclature, and the documentation or the nomenclature and documentation should be changed to match the functionality. I really do not see why it would be difficult to simply Prohibit the viewing of account settings, emails or retrieval /sending if there is a master password set and no successful password has been entered, with all the argument against making the Master Password behave according to the expectation of what a Master Password is supposed to do in the mind of users, and also with regards to the expected functionality that is not clearly defined in the documentation ... I am wondering is there a back door ?
You need to log in before you can comment on or make changes to this bug.