Closed Bug 381122 Opened 14 years ago Closed 14 years ago

Remember Mismatched Domains add-on no longer works with 3.0


(Thunderbird :: Security, defect)

Not set


(Not tracked)



(Reporter: k.o_rohrer, Assigned: dveditz)


User-Agent:       Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv: Gecko/20070517 SeaMonkey/1.1.2
Build Identifier: version 3.0a1 (20070517)

With the 3.0 version, I am no longer able to permanently accept mismatched domains in security certificates. The add-on no longer works. Please make this a regular feature in Thunderbird or make the add-on compatible.

Reproducible: Always

Steps to Reproduce:
1. Check posts in a newsgroup with mismatched domains (The University of Phoenix, for example)
2. The warning comes up but there is no box to check to accept it permanently.
3. I have to click OK or cancel.

Expected Results:  
When the mismatched domains warning box comes up, there should be a check box to permanently accept the certificate.
This extension is not part of the "Mozilla" codebase, please contact the author of the extension about bugs in that extension (there should be a 'homepage' link for the extension in the addons dialog).

Certificate Error handling is undergoing quite an overhaul in the core code on the trunk, but the Thunderbird developers have been busy finishing Thunderbird 2.0 and have not yet started work on any actual "3.0" version.
Closed: 14 years ago
Resolution: --- → INVALID
I'm sorry, but I disagree. This feature should be a part of Thunderbird. We shouldn't have to go elsewhere on the internet to get something that should be standard. This behaves like a bug because it doesn't act as it should. From what I've read on the internet, many other "customers" feel the same way. Why not give us what we want? This has been asked for several years now. Surely someone can add this feature.
Oops. I should have read the last sentence before I posted. From what you say, it is your intention to add this feature in version 3.0?
I'm saying two things.

1) if the extension is broken filing a bug _here_ is not going to communicate that fact to the extension author

2) There was a stated desire to do this in Thunderbird 3.0, but I'm not promising since I'm not on the Tbird team. As you say lots of people want this, and having it in Thunderbird would be somewhat less insecure than the broken extension ("The man-in-the-middle Extension" the SSL team calls it).

As to "it doesn't act as it should" (comment 2), if the mail servers had valid certs it would work perfectly well. The mail servers are the ones abusing SSL and can more easily get valid certs, which are these days incredibly cheap and even _free_ from some vendors, far quicker than we can fix Thunderbird 3. Are you asking _them_ "Why not give us what we want"?
I'm the extension's author.

I agree, this was not the most direct method for filing a bug for the extension. It was successful though ;-) I took a quick look at ThunderBird 3.0 a few months back and thought I'd let it settle down a bit before tackling what changed this time around. Unfortunately for you Ken, I've had to work around some Mozilla bugs in a way that make it difficult for me to support OSX versions of RMD.

Daniel, I'm very happy to hear that *solving* this is being considered for TB3. In the meantime, if you (or anyone else) has insight into ways to make RMD more secure I'm more than willing to discuss it. Always have been. (For example, cert fingerprint storing was added based on user suggestion). 

"The man-in-the-middle Extension". That's cute. It's also a fair bit more polite than some of the things Mozilla users call the default mismatched domains functionality.

I can be contacted through my site.

It's good to hear from the creator of the "man-in-the-middle extension." It seems that I have achieved hitting "two birds with one stone." The Mozilla team is possibly going to add it for TB3 and Andrew can work on RMD to make it compatible in the interim.
(In reply to comment #5)
> (For example, cert fingerprint storing was added based on user suggestion).

Glad to hear that, that addresses my personal concerns.

The SSL purists calling it the MITM extension want the ugly Mozilla dialogs to go away, too -- by refusing to connect until the server admins install a valid cert.
In that case I hope the SSL purists don't win this one. If they set it up this way, I would be forced to change software and no longer use Thunderbird. In reality that would be punishing the user, not the company being negligent with mismatched certifications. Those companies don't care and won't change. I've already spoken to them about the issue. Unfortunately I have to earn a living and use their system. I know it's easy for some to forget they have to consider what their users want too.
As I mentioned, we do have broad agreement that a hybrid "ssh-like" model for self-signed and other problem certs would be acceptable: eliminate the click-through dialogs that allow, even encourage, users to do unsafe things while allowing users to pre-configure acceptable certs for specific hosts. The devil is in the details, though, and we're not there yet.
What you describe Daniel sounds like it could make everyone happy. That's encouraging.

Here's to the day RMD can be retired.
You need to log in before you can comment on or make changes to this bug.