Closed Bug 611112 Opened 14 years ago Closed 13 years ago

Default location in the start page message area reveals information and is susceptible to DNS hijacking

Categories

(Thunderbird :: Mail Window Front End, defect)

Product:
Thunderbird
Component:
Mail Window Front End
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(thunderbird3.0 wontfix)

Status:
RESOLVED DUPLICATE of bug 576264
Tracking Flags:
Tracking Status
thunderbird3.0 --- wontfix

People

(Reporter: nikosft, Unassigned)

Details

(Keywords: privacy, Whiteboard: [sg:moderate]) 

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.12) Gecko/20101027 Thunderbird/3.1.6

The default location in the message area (tools->option->general, Location field) uses plain http and it reveals information that can be used from malicious users, including: OS, version and build. Moreover Thunderbird does not verify that the content received is actually the location specified (which in the default case is something expected) and a user can be easily deceived. The situation becomes even worse if consider the fact that showing the location is enabled by default, and in this are are users, are used to see mozilla products advertisements (so a malicious user can present a virus a new mozilla product)

Reproducible: Always

Steps to Reproduce:
1. Modify your DNS server to point live.mozillamessaging.com to your webserver
2. Create a directory named thunderbird and in this directory create a file named start that prints html hello world 
3. Launch Thunderbird with the default settings
Actual Results:  
You will see a "hello world" message in the start page message area

Expected Results:  
The software should have used https as the default location in order:
a)to hide user's information
b)to be able to verify the default location
confirming, plain http for something that appears to be part of the client UI is a terrible choice. The live.mozillamessaging.com server is accessible via HTTPS, but you can't simply change the URLs in the product prefs because it redirects to http://www.mozillamessaging.com/en-US/thunderbird/3.1/start/?<etc> (not SSL) regardless of whether you use SSL or not in the initial request. You'll have to fix the redirects as well.

SSL should not be too resource intensive to support this. We've managed for Firefox with tens of millions more users.

Do you really need all that snooping information passed to the start page? I suppose pulling it out doesn't make too much difference since you get the same kind of information from the user-agent string in the request headers, and the same data as a side-effect of update checks (obviously you need to know what version, locale, OS they have to give them the right updated version). But the tradeoff in the other ways is more direct -- I tell you what version I have so I get the right update back in return, whereas on the start page it just looks like user data collection. Lucky the URL isn't in a user-visible place for Thunderbird unlike in a browser.
Status: UNCONFIRMED → NEW
status-thunderbird3.0: --- → ?
status-thunderbird3.1: --- → ?
status-thunderbird3.2: --- → ?
Ever confirmed: true
Keywords: privacy
Whiteboard: [sg:moderate]
If we keep this bug closed shall I also close bug 557730, bug 576264 ? 
This also sounds like a duplicate of bug 527802 that got WONTFixed.
(In reply to comment #1)
> SSL should not be too resource intensive to support this. We've managed for
> Firefox with tens of millions more users.

Firefox doesn't use https for its start page or its what's new page. So I don't know what you're referring to here that Firefox is using.

See the discussion on bug 576264, for some of the existing concerns.

> Do you really need all that snooping information passed to the start page? I
> suppose pulling it out doesn't make too much difference since you get the same
> kind of information from the user-agent string in the request headers, and the
> same data as a side-effect of update checks (obviously you need to know what
> version, locale, OS they have to give them the right updated version). But the
> tradeoff in the other ways is more direct -- I tell you what version I have so
> I get the right update back in return, whereas on the start page it just looks
> like user data collection. Lucky the URL isn't in a user-visible place for
> Thunderbird unlike in a browser.

It is used for the live redirects, and means we can redirect to different pages at any time, e.g. during beta phases of stability releases we redirect to a beta page, and to the production page at the end of the beta phase. If we come up with a new what's new or start page for instance, then we could also redirect all the existing clients, or just some, to the new page.

We probably don't need OS in there, however, version, locale and build ids are pretty important, especially as I believe we're going to be removing them from the user-agent string.
You don't need HTTPS to verify that the page is correct. You can have for example the digtal signature of the page in HTML comment. That is for the DNS hijacking

As far as sending all this information (build, OS) over HTTP I think is terrible idea. USER-AGENT string is encrypted in most modern mail servers (e.g. GMAIL) and I think the same goes for the update. I can not understan why users should be so exposed
Sounds like a duplicate of bug 576264. Nightly builds are already end-to-end SSL
As of Thunderbird 5.0b1 and Thunderbird 3.1.15, the start and what's new pages have been switched to https. This work was done in bug 576264, so marking as duplicate.
Status: NEW → RESOLVED
Closed: 13 years ago
status-thunderbird3.1: ? → ---
status-thunderbird3.2: ? → ---
Resolution: --- → DUPLICATE
Group: core-security
You need to log in before you can comment on or make changes to this bug.