Sunday, July 5, 2020

A belated note: TLS 1.0 and 1.1 support ended with Thunderbird 68.4

Once upon a time, we did not have to worry about connection encryption.  everyone connected in plain text and often did not even need a password.  How time have changed, over the last 20 years, connection encryption has become a defacto standard. So now there is not only the End of Life dates for Operating systems (windows 7 14 January 2020)  but these encryption protocols come out with new versions and older versions are cryptographically broken and have to be removed from active use.

The time has come in Thunderbird for the end of life of TLS version 1.0 and 1.1.  TLS 1.0 was technically "end of life" 30 June 2018 but for reasons, I do not grasp the agreement between Apple, Google, Microsoft, and Mozilla to retire support for these aging cryptographic protocols is for version 1.0 and 1.1 together. Firefox has now retired them in Version 74, and as Thunderbird is built on the Mozilla platform it is also retiring them at the same time as Firefox ESR removes it in Version 68.5.

So what does this mean to Thunderbird mail users?  For most people it means nothing.  Your mail provider will have been proactive in retiring old protocols and maintaining their PCI DSS compliance so the change will have no impact at all.

For those who use mail servers that do not have proactive administrators, you will not be able to connect to the mail server to get your mail.  If you suspect this might be the case, open the error console (Alt+Shift+J) and clear it (trash bin icon) then attempt to get your mail.

You will see errors about incompatible connection or security issues. I do not have access to a noncompliant email server to offer examples.  But as an alternative, you can go to the ssl-tools web site and put in the part of your email address after the @ and check in the report that your mail server supports TLS versions greater than 1.1

Saturday, February 22, 2020

Changing text color and the special issue this represents for Mac users.

Thunderbird 68 removes the limit on the number of colours available and now offers whatever the operating system of the device offers.  This is usually more than 60 million.

You are using Apple,  the complex things you see are part of your apple operating system.  Windows users see a colour picker that they pick a colour from because that is the tool windows offers up when asked.

Both operating systems should put up an equivalent to this

The windows dialog you see when you click the colour bar to set another colour looks like this

Apple has something that looks like this as their operating system colour picker

They offer instructions here on using this part of their operating system.

The special problem MAC users appear to have is they do not close the colour picker dialog and then complain that the colours in Thunderbird do not update. So, close the dialog.  That is all you have to do to make it work.

Friday, September 20, 2019

I lost my Profile/Mail on update to Thunderbird 68.

If this is you,  then you are not alone.  Thunderbird 68 comes with this fancy new profile per install thing that the Firefox folk invented with Firefox 67.  It serves a purpose,  but for the vast majority of users it is nothing but a nuisance that offers yet another reason for things to go wrong.  But it can be beaten and once set should remain the same basically forever.  The current issues are mostly about changing from 32 to 64 bit builds and once that is done should not have to be repeated.

In my instruction I assume that the profile is located in the default location.  if you changed this default to some other drive for space reasons for example,  you will need to correct my instructions so your looking in the right place for your old profile.

First navigate to the Troubleshooting information on the help menu. Scroll to the bottom of the "Application Basics" information and select the last entry.  About:profiles.

 This will open a new tab showing the about profiles information.

This heading is followed by all the registered profiles Thunderbird currently has registered. 

If you have more than the current default profile listed,  it is worth noting the name of the current default and clicking the "Launch profile in a new browser" button for other profiles shown.  The label is incorrect and awaits correction.  But clicking the button will launch Thunderbird in a new window with the selected profile loaded.  If it happens to be what you are looking for.  Click the Set as default button and you good to restart.

If none of the profiles listed here are your missing one,   you will need to move on to creating a new profile that is in the same location as the old profile.  Use the "Create a new profile" button at the top of the about:profiles page to start Thunderbirds Create profile wizard.

The action here is to use the Create profile button. This will open a Create profile Wizard dialog.

Lots of information here, but just click Next.

 This dialog is upset because the name already exists,  as does the location,  so change the name.  To anything.  Something like OldProfile or MyProfile might be a good easy name to remember if you ever have issues in the future.

Now click the choose folder button.  This will open a standard open dialog in the default location of the profiles.  What I see looks like this
This list of files with their random characters and "profile names" on the end is the same list as shown in the about:profiles page.  But there should be one more profile listed here than is shown in the about:profiles page.  Select it as the location for your new profile and click ok.  Then in the profile wizard click finish.

You will be returned to the about profiles page and the list will be refreshed with your new profile name which will show as default. A restart of Thunderbird should see the correct profile launched.

Profile per install and downgrade protection

Thunderbird 68 also introduced a Mozilla feature,  profile per install and picked up the downgrade protection along with it.  This actively prevents downgrading from one version to another.  Mozilla also introduced a new command line option to override the downgrade protection.

For those using Thunderbird this command line also works.  So I suppose I need to offer instructions for that.

For Windows users,
using the run command (Windows key+R) 
Entering the following command line for 32 bit Thunderbird 
"C:\Program Files (x86)\Mozilla Thunderbird\Thunderbird" -allow-downgrade 
or the following command line for 64 bit Thunderbird
"C:\Program Files\Mozilla Thunderbird\Thunderbird" -allow-downgraded 

These example assume default installs and you might just have been switched from 32 to a 64 bit build on update.  So you might have to try both. 

For MacOS
cd /Applications/
./firefox -allow-downgrade
For Linux
cd Thunderbird installation directory
./thunderbird -allow-downgrade

Friday, July 19, 2019

Yahoo problems

The following two options should workaround the bug in the Yahoo mail system that affect many more than just those with @Yahoo mail addresses.  There is also a Thunderbird bug that has been raised to investigate this issue here that provides more detailed information should you be interested. 

Select options from the three bar menu.
Select the Display | Formatting tab | Advanced button
Set outgoing mail text encoding to Unicode
Select the "When possible, use the default text encoding in replies"
Click on Ok.

If that does not do it for you you will need to use the config editor to modify the setting mail.strictly_mime to true to force Thunderbird to use 7bit encoding in email.  This is not an optimal setting but is sometimes needed to workaround the various Yahoo issues.

Wednesday, February 28, 2018

Copy Thunderbirds profile to a new computer.

This is something we all must undertake at some point,  and to this end there is an article on the Thunderbird support forum that offers a number of methods.  See here 

I am writing this because really the article is  inadequate,  but attempts to improve it run into issues with Linux and OSX.  So here the discussion is about windows only and will offer instruction that assume you have not changed some fundamental options in Thunderbird.

While the vast majority of Thunderbird users do not change the location of their profile, or change the folder ("Local Directory") used to store the mail data for an account. It is possible to do both things and is one of the reasons the instructions on the support site are not as good as they should be.
So check the following in your old device.

Local Directory
  1. Right click the account in the folder pane in Thunderbird.
  2. Select properties
  3. In the server Settings for the account look at the "Local Directory"

In the above image I have removed the parts of the path that are specific to any one computer.  The remaining information is consistent with all versions of Windows since XP.  The part that needs to be checked  to ensure it is set to a default location is \appdata\Roaming\Thunderbird.  If your path does not contain this string.  These instructions are not for you.

Profile folder location

  1. On the help menu select troubleshooting information.  
  2. Click open folder beside "Profile Folder"
  3. Windows file manager will open. 

Again check the profile location contains \appdata\Roaming\Thunderbird.  This is the default location of the profile and unless it has been actively changed will show in the path at the top of the explorer window.

If the above two checks show  \appdata\Roaming\Thunderbird then proceed with the profile size check and actual copy below.

 Size check and copy
Old device.
  1. Windows key + R
  2. Type %appdata%
  3. In the Windows explorer window that opens select the Thunderbird folder with your mouse in the left hand pane.
  4. Right click the Thunderbird folder with your mouse and select properties from the menu that appears. Take note of the size of the Thunderbird folder and the number of files.
  5. Select a USB device with sufficient free space to hold your profile folder and copy the folder to it.
  6. Right click the Thunderbird folder on the USB drive and confirm it is the same number of file and folders as you noted earlier.  If it is different then the copy will most likely not be complete. 
New Device

  1. Windows key + R
  2. Type %appdata%
  3.  Copy the Thunderbird folder from your USB device and drop it onto the appdata folder in the windows file manager.  If there was no Thunderbird folder before, one should be created.  If there was one you should be prompted to replace files.
  4. Install Thunderbird.  Or start it if you previously installed it..

Saturday, February 25, 2017

Is yahoo a lost cause? Probably!

Today I got an email from Yahoo,  they were very concerned for my account security.  So concerned in fact they told me.

Our external forensic experts have been investigating the creation of forged cookies that could allow an intruder to access users’ accounts without a password. Based on the ongoing investigation, we believe that a forged cookie may have been used in 2015 or 2016 to access your account.
That is nice.  Someone accessed my account.  I wonder what they actually accessed?  Yep, you guessed it. No information form the nice folks at yahoo on that subject.  Just a bland generic suggestion that I "Review all of your accounts for suspicious activity."  really,  this tells me what they accessed how?  Was that email from the Japaneese company I was negotiating the export contracts with in the account when it was accessed?  Was that why the group for Bangladesh managed to undercut my price?

Now this account has only one purpose,  it is one I created to test Thunderbird against the ever more bizarre processes used by Yahoo.  Looking back over the account from the time it was created on the 16th February 2011 it has received exactly two email not originating from me.  Both were from Thunderbird users trying to navigate the complexities of Yahoo. (the last of those emails was in 2014).  But it appears from Yahoo that I have been the victim of state sponsored hacking for the purpose of just peeking in I suppose.

We have connected some of the cookie-forging activity to the same state-sponsored actor believed to be responsible for the data theft we disclosed on 22 September 2016

Now this is where I get a little concerned.  They have connected "some of the ... activity" to that source.  So are they telling me that the account has been hacked by multiple parties on multiple occasions?  Are they telling me anything at all or just pressing the flesh and selling their new authentication protocol that offers them further advertising opportunities and more information about me as a person. I actually think both.  They are I think admitting their accounts have been an open door for years for those in the know.  I must wonder why Yahoo got those information requests from the US government.  Perhaps they are not as good at hacking as other nations

The older I get the more aware I am that TNSTAAFL  but the marketing spin and the sheer cheek here is astounding.  At this point, Yahoo have whatever details I gave them to create the account and they will not be fiction,  but may well be a long way from what my credit provider calls the truth.  This blog has more personal information that my yahoo account,  and that is no accident.  But this email does not encourage me to give Yahoo any more insight into who I am, they proved they are not capable of managing any personal data at all. Giving them a phone number is not something that will be happening.  Closing the accounts will be first.

But lets look at what they did say, "the creation of forged cookies" is what their external investigators are looking at. Almost everyone knows,  once you log into a web site it gives you an authorization cookie that validates you against subsequent pages,  like opening an email, so you do not have to enter your password for every page load.  Apparently Yahoo had an issue with these cookies, their algorithm for producing a secure authorisation was too simple or to well known and multiple unknown parties had unfettered access to just about everything they had in peoples accounts over a number of years. Now yahoo wants to put the genie back in the bottle. by replacing one single factor authentication method (A password) with another.  (Pressing ok on a phone app when I try and access their web site or mail.) 

What have yahoo done to stop the use of forged cookies?  Well, they invalidated the forged cookies. This implies that the forged cookies were still being used until very recently, like this week really. Good hey. That is like closing the garage door when you see your car turning the corner at the end of the street.

They (Yahoo) are also  "constantly enhancing our safeguards and systems that detect and prevent unauthorised access to user accounts".  Hey guys.  Just a concept here.  But I have been accessing this account from the same IP for years.  perhaps I do not need a phone app or a password to identify my connection as me.  Instead you come up with safeguards that make using your service a burden instead of a pleasure.  I do not need a new log in method.  I need a new provider of email. Sorry but bungling ham fisted bulk admissions really do not leave me feeling any better about Yahoo that I felt the day I first heard they had been hacked. 

For others that actually used their yahoo account;
  • Did you have photos stored on yahoo that your would not like public?  They probably are now. 
  • Did your business have sensitive document or email stored on Yahoo?  They are probably public now. 
No amount of generic admissions can excuse this breach of trust.  But to add insult to injury  Bob Lords email contains web beacons.  That is not what I would call a contrite apology.  More like meeting some legal requirement and garnering proof of doing so for use in subsequent litigation.

Monday, January 30, 2017

Anti Virus again

For a very long time I have been banging on about anti virus (AV) programs and how they appear to be designed to make email clients look bad.  Early on I though it was just me,  but then I found an MVP for Outlook Express that also had issues with Anti virus products and their continual ability to mess up email and email applications. Microsoft kindly removed his web presence.  I did get a copy of what he said in my post here though

Today I stumbled on a series of articles and discussion by people whose opinions I think are worth taking notice of.and they are all denouncing Anti virus products.  Some (most really) of this is not new.  But it would appear the cat may be out of the bag.  But You draw your own conclusions.

Robert O'Callahan, was a developer with Mozilla until about 12 months ago.  He has just posted to his blog a recommendation to Disable Your Antivirus Software (Except Microsoft's) a fairly strong statement followed up by a suggestion that. "At best, there is negligible evidence that major non-MS AV products give a net improvement in security".   So there we have it.  But why now?  Because when he tried doing something about the appalling way anti virus affected Firefox in 2012.  He was shut down for shaming Mozilla "partners".  Now having been away from Mozilla he feels he can freely express his opinion.  I encourage you to read everything he says on that blog post.  It really does not reflect well on so called "security" products.

This all gave me some vindication for my prior distaste for AV products,  but  then I wandered into  the twitter sphere of Chrome developer Justin Schuh where he said "AV is my single biggest impediment to shipping a secure browser." and "I could rattle off a laundry list of total security breakage due to worthless AV code."  So now we have developers involved with two major browser projects that are not at all happy with the way things are going with Anti Virus products.  Looking through that discussion you might notice a current Mozilla employee with a grime about AV caused problems,  and a computer technician that does not want thing to change because he makes his money fixing the mess left by anti virus products.  So who actually think these things are doing their job and making things more secure.

Logic would indicate that at east those selling Anti virus product would be supporting them as a good thing.  Not so. Anti virus products are "doomed to failure," according to Brian Dye, senior vice president for information security at Symantec, the maker of Norton brand of anti virus products.

"Antivirus products are catching less than half of all cyberattacks", Dye said, in May 2014.  For a company that is aware of the playing field,  I wonder why they are still in the market all these years latter. (As the Wall street journal article is behind a paywall.  I will link to the ZDNet report for further reading.)

To give Norton a break, they have concentrated more on whitelisting applications that their firewall will allow to access the internet in the past few years.  But this has issues all of it's own.  Thunderbird releases a new version and the support forums light up with users who can no longer get their mail because Nortons firewall has blocked the new version.

But the question is still open.  Is their software leaking?  Is it secure? I really do not know.  Norton had issues last year.  but given the speed of their releases, can they really be doing much more than patching vulnerability as they are notified of them?
The SecurityIntelligence article that reported the Norton issues stated. "It’s a relatable conundrum: Security companies don’t want to lose their share of the market and often choose speed over safety, something corporate IT departments struggle with on a daily basis. But the continuing parade of bad medicine stories suggests that it’s time for a change; using kernel privileges carries the risk of Heartbleed-like failure and simply isn’t worthwhile in the long term. "

The reality is all anti virus products have issues,  just how bad they are is still open to some discussion.  But I think everyone should take just a little time to actually consider what their anti virus product is doing for them, and what issues it might be causing for them.  Not the least of which is slowing your system down.

For once a bibliography.
ZDNet article that set me off on this journey 
Twitter discussion Justin Schuh
Robert O'Callahan's blog post
Antivirus Hall Of Shame discussion on
Security intelligence report on Norton's vulnerability.
ZDNet report on comments by Brian Dye, senior vice president for information security at Symantec