Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Thunderbird opening mail without password


  • Please log in to reply
17 replies to this topic

#1 Achaemenid

Achaemenid

  • Members
  • 432 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 05 July 2017 - 09:34 AM

I have an encrypted drive in Linux Mint 17.2

 

Within this, I have set up a Thunderbird account to facilitate using pgp through Enigmail. But before getting to that, I find T-bird to be insecure.

 

I have one email account associated with it.  When I open T-bird, which you can do without a password just by clicking on the menu option in the lower left corner of the Linux desktop, T-bird opens to the email account.

 

Even though T-bird asks for the password of the email account, I can click on an email and open it without inputing the password.

 

This seems even less secure than simply using the webmail account and running pgp in some other way.

 

Has anyone run into this problem?  Can you suggest any fixes?

 

Is this problem due to the fact the T-bird account has no master password?

 

 



BC AdBot (Login to Remove)

 


#2 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 9,012 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:05:52 PM

Posted 05 July 2017 - 09:52 AM

I don't understand why you consider this insecure.

 

E-mail client programs are written with the presumption, and an awfully good one, that the person using them is going to have physical security over the device on which they are installed and, if that's the case, that's your first and best line of defense against intrusion.

 

Most e-mail clients, not just Thunderbird, download a select collection of message bodies along with message headers (I'm presuming IMAP access here) for a number of the most recent messages by default so that you can still access them for reading if you're offline.  It's perfectly reasonable, with the presumption that you have physical control of your device and that you had to enter the password for the account to allow download of the messages (or message headers) already downloaded that if you click on one of those you should be able to read it.

 

If you don't have and don't maintain physical access control over your equipment all other security measures will be, essentially, useless if it falls into the hands of someone who knows how to dig around and decides to do so.


Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

     . . . the presumption of innocence, while essential in the legal realm, does not mean the elimination of common sense outside it.  The willing suspension of disbelief has its limits, or should.

    ~ Ruth Marcus,  November 10, 2017, in Washington Post article, Bannon is right: It’s no coincidence The Post broke the Moore story


 

 

 

              

 


#3 Achaemenid

Achaemenid
  • Topic Starter

  • Members
  • 432 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 05 July 2017 - 11:49 AM

I don't understand why you consider this insecure.
 
E-mail client programs are written with the presumption, and an awfully good one, that the person using them is going to have physical security over the device on which they are installed and, if that's the case, that's your first and best line of defense against intrusion.
 
Most e-mail clients, not just Thunderbird, download a select collection of message bodies along with message headers (I'm presuming IMAP access here) for a number of the most recent messages by default so that you can still access them for reading if you're offline.  It's perfectly reasonable, with the presumption that you have physical control of your device and that you had to enter the password for the account to allow download of the messages (or message headers) already downloaded that if you click on one of those you should be able to read it.
 
If you don't have and don't maintain physical access control over your equipment all other security measures will be, essentially, useless if it falls into the hands of someone who knows how to dig around and decides to do so.


Yes, I have physical control of the computer and no one else has access.

You seem to be saying that when I first entered the account into T-bird, that was only time a password was necessary. Is that right?
So you are saying this is normal behavior for T-bird, right?

If that were true, why is T-bird asking me for the email account password at the same time it makes the account accessible without the password?

#4 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 9,012 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:05:52 PM

Posted 05 July 2017 - 01:56 PM

Yes, I have physical control of the computer and no one else has access.

You seem to be saying that when I first entered the account into T-bird, that was only time a password was necessary. Is that right?
So you are sayingo this is normal behavior for T-bird, right?

 
By default this would be the normal behavior.  Virtually no one wants to be prompted for the password for their e-mail account each and every time the e-mail client they're using does a send/receive cycle.  They just want it to do a send and receive.
 
At one time, when you were setting up an account, there was a way to specify that it was not to save the password and you would be prompted each and every time the client needed to connect to the servers.   I never do this and no one I know does this as it's so darned inconvenient and, if you have physical control of your device(s), completely unnecessary.

 

If that were true, why is T-bird asking me for the email account password at the same time it makes the account accessible without the password?


You do not seem to be making the distinction between "your account" and "your downloaded messages" from the account that have already been snagged by the e-mail client on a prior send/receive cycle. If it's asking you for the password access to the account, on the server, is not possible without it. Anything that has already been downloaded and is inside the e-mail client's database of messages is.

Exactly which messages will be available depends on exactly you have configured either your POP or IMAP access to your e-mail server for a given account.

It is not the responsibility of an e-mail client to keep the actual user of same locked out of their e-mail. Thunderbird does have a master password capability, but in reality if you're using a Windows machine that has the capability of establishing separate user accounts that is the mechanism that should be used to keep someone from accessing not only Thunderbird, but anything else related to your account.

Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

     . . . the presumption of innocence, while essential in the legal realm, does not mean the elimination of common sense outside it.  The willing suspension of disbelief has its limits, or should.

    ~ Ruth Marcus,  November 10, 2017, in Washington Post article, Bannon is right: It’s no coincidence The Post broke the Moore story


 

 

 

              

 


#5 jwoods301

jwoods301

  • Members
  • 1,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:52 PM

Posted 05 July 2017 - 04:43 PM

In Thunderbird, click on Tools > Options > Security > Password tab - Saved Passwords button.

 

You can also set up a Master Password that would need to be entered once per session.


Edited by jwoods301, 05 July 2017 - 04:43 PM.


#6 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 9,012 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:05:52 PM

Posted 05 July 2017 - 04:52 PM

In Thunderbird, click on Tools > Options > Security > Password tab - Saved Passwords button.

 

You can also set up a Master Password that would need to be entered once per session.

 

Based upon what's already been said I would suspect that the original poster has no saved passwords, though the instruction on where to find same is most welcome for other readers.

 

It also appears that only the use of the master password coupled with manual password entry for each account (if there are more than one) would come close to achieving what's being sought, and not even quite that since once the master password is entered you have a situation just like you would if there were no master password along with no saved passwords.

 

Using a web based interface, if one is available, for the accounts and logging out between checks of messages is about the only thing I can see that comes close to the degree of "button down" this member is seeking.


Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

     . . . the presumption of innocence, while essential in the legal realm, does not mean the elimination of common sense outside it.  The willing suspension of disbelief has its limits, or should.

    ~ Ruth Marcus,  November 10, 2017, in Washington Post article, Bannon is right: It’s no coincidence The Post broke the Moore story


 

 

 

              

 


#7 jwoods301

jwoods301

  • Members
  • 1,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:52 PM

Posted 05 July 2017 - 05:10 PM

Even though T-bird asks for the password of the email account, I can click on an email and open it without inputing the password.

 

This seems even less secure than simply using the webmail account and running pgp in some other way.

 

Has anyone run into this problem?  Can you suggest any fixes?

 

Is this problem due to the fact the T-bird account has no master password?

 

 

As mentioned above in post #5, there is a Master Password...it protects the Saved Passwords, so it offers further lockdown.

 

Clicking on an email in your Inbox (or any other location in Thunderbird) means that it has already been downloaded from the email server.

 

To get your email downloaded to Thunderbird, you have to log in to the email server with a User Id and Password.

 

Not a security flaw...it's the way it's supposed to work.


Edited by jwoods301, 05 July 2017 - 05:13 PM.


#8 Achaemenid

Achaemenid
  • Topic Starter

  • Members
  • 432 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 07 July 2017 - 03:09 PM

In Thunderbird, click on Tools > Options > Security > Password tab - Saved Passwords button.

 

You can also set up a Master Password that would need to be entered once per session.

thanks for responding

But I have been following the T-bird setup advice on this site:

https://securityinabox.org/en/guide/thunderbird/windows/

 

There it says not to save the passwords.

I would not mind inputing the password for each email account. My objection is that T-bird is opening the account before I can do that.

 

I have avoided the master password option because it seems like its just adding password upon password, bur if that is the only solution for the technical problem I am facing, then ok.


Edited by Achaemenid, 07 July 2017 - 03:11 PM.


#9 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 9,012 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:05:52 PM

Posted 07 July 2017 - 03:23 PM

I have no idea why one would ever want to uncheck the "Remember password" box in an e-mail client that will store it encrypted, on a machine that you have physical control over, and where you'll be using that client to read your e-mail (and probably keeping it open for hours at a time where it will try to send-receive automatically [unless you turn that feature off] and will nag you each and every time it has to connect to the servers).

 

There is no added security of any significance to be gained from not remembering the password.  Modern clients like Thunderbird will also handle two-step authentication all on their own if I am not mistaken.

 

You're making your life much, much more complicated for virtually no meaningful gain in actual security.


Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

     . . . the presumption of innocence, while essential in the legal realm, does not mean the elimination of common sense outside it.  The willing suspension of disbelief has its limits, or should.

    ~ Ruth Marcus,  November 10, 2017, in Washington Post article, Bannon is right: It’s no coincidence The Post broke the Moore story


 

 

 

              

 


#10 Havachat

Havachat

  • Members
  • 1,136 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sleepy Hollow - Geelong - Go Cats.
  • Local time:08:52 AM

Posted 07 July 2017 - 07:31 PM

If you want to enter passwords each time then set it up that way , but as Brian said " Whats The Gain " .......Zilch.

Would you want to enter your ADSL password each time you go on the Net , like in the old days ? ...No Thanks !

 

Standalone Email Clients are Built to make life easier these days and Secure , i have Microsoft Office Outlook with 4 Email Accounts and Passwords Saved , so i open it and Hit "Send and Receive" , and they all Download. { Im not entering 4 passwords to make life harder for myself }.

 

No different to a Web Browser remembering your Forum Passwords as i do , but some may say this could be a risk in certain circumstances.



#11 jwoods301

jwoods301

  • Members
  • 1,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:52 PM

Posted 07 July 2017 - 08:50 PM

You could also download and run the free version of Roboform 8.

 

https://www.roboform.com/

 

Roboform will fill desktop applications forms as well as web forms.

 

Version 8 now allows unlimited entries.


Edited by jwoods301, 07 July 2017 - 08:52 PM.


#12 Achaemenid

Achaemenid
  • Topic Starter

  • Members
  • 432 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 10 July 2017 - 06:13 PM

The reason we want to uncheck the box in the T-bird configuration that says "save my password' is because it is a security risk, not from physical attack but from online hacking.

 

I got this advice from this website:

 

https://securityinabox.org/en/guide/thunderbird/linux/

 

britechguy -- you are directly contradicting this website.

 

I think some of us are missing the point of my post: The flaw that I see here is that T-bird should not open the email inbox at all before the password is typed in.

I have no problem with typing the password in every time.

 

This is about the last time I am coming to this thread because it seems to have gone off the rails.

 

What I would like to do is tell T-bird to wait until I have typed in the password before opening the inbox.



#13 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 9,012 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:05:52 PM

Posted 10 July 2017 - 06:41 PM

And what we've been trying to tell you is that Thunderbird, nor any other contemporary e-mail client, will do this.  I know of not a one, and I have explained, in detail, why.

 

And I am contradicting that website.  I deal with what is probable, based on decades of being in this business, not what is remotely possible and highly unlikely.  It also gains you as close to nothing as is humanly conceivable with regard to added security.  As does disabling HTML e-mail, which is insane to do these days since the vast majority of it is composed using HTML and you lose tons of functionality and "viewability" when you do that.  Realtime scanning of e-mail before download by the server and/or immediately upon arrival on the client machine has virtually eliminated all the threats that were once common with HTML email.  Paranoia does not help with real security.

 

The closest thing you're going to get to what you want with an e-mail client is to use a master password feature that won't allow you into the client without it.  Once a client has downloaded messages those remain accessible, by default, to anyone who can access the e-mail client.  This is because it makes the most sense for how people use e-mail and in situations where simple physical security measures to prevent unauthorized access to the computer itself are in place.


Edited by britechguy, 10 July 2017 - 11:00 PM.

Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

     . . . the presumption of innocence, while essential in the legal realm, does not mean the elimination of common sense outside it.  The willing suspension of disbelief has its limits, or should.

    ~ Ruth Marcus,  November 10, 2017, in Washington Post article, Bannon is right: It’s no coincidence The Post broke the Moore story


 

 

 

              

 


#14 Havachat

Havachat

  • Members
  • 1,136 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sleepy Hollow - Geelong - Go Cats.
  • Local time:08:52 AM

Posted 11 July 2017 - 06:02 AM

I think some of us are missing the point of my post: The flaw that I see here is that T-bird should not open the email inbox at all before the password is typed in.

I have no problem with typing the password in every time.

 

 

So there,s no issue !

If you havent entered your password and downloaded any New Mail , your reading old mail downloaded previously , when you start TB and it goes to your Inbox.

So theres no issue if it goes to the Inbox when it starts up ....IMV.

 

If you still think its an isssue - take it up with Mozilla 

https://support.mozilla.org/en-US/products/thunderbird/emails-thunderbird


Edited by Havachat, 11 July 2017 - 06:04 AM.


#15 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 9,012 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:05:52 PM

Posted 11 July 2017 - 09:07 AM

 

I think some of us are missing the point of my post: The flaw that I see here is that T-bird should not open the email inbox at all before the password is typed in.

I have no problem with typing the password in every time.

 

 

So there's no issue !

If you havent entered your password and downloaded any New Mail , your reading old mail downloaded previously , when you start TB and it goes to your Inbox.

So there's no issue if it goes to the Inbox when it starts up ....IMV.

 

Exactly.  And this is true of any e-mail client known to humankind.  And it is not a security risk, it is normal and expected behavior.

 

A solution already exists, in most cases anyway:  use your e-mail provider's web interface rather than an e-mail client and log out after you complete reading what's come in since you last logged in.

 

I have no idea why anyone would want to do that, as it makes keeping up on e-mail infinitely more difficult than remaining logged in and taking the occasional look to see what's come in lately if you're sitting in front of your computer the whole time, have the computer in a location where you can prevent anyone else from having access to it or, barring that, bring up the password protected lock screen if you're going to be away from the keyboard for some period of time.  The latter method is used routinely in "cubicle farm" work environments where physical access cannot be effectively blocked but control over who's in the building is tight.  No one leaves their computer sitting out, fully logged in, in a public venue and just walks away from it (unless an emergency occurs).


Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

     . . . the presumption of innocence, while essential in the legal realm, does not mean the elimination of common sense outside it.  The willing suspension of disbelief has its limits, or should.

    ~ Ruth Marcus,  November 10, 2017, in Washington Post article, Bannon is right: It’s no coincidence The Post broke the Moore story


 

 

 

              

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users