[CentOS] [security] Thunderbird vulnerable to MITM

Sat Aug 22 15:05:51 UTC 2015
Alice Wonder <alice at domblogger.net>

Thunderbird has a MITM vulnerability with its otherwise rather groovy 
auto-configuration feature.

The problem is that it makes requests via HTTP to retrieve the auto 
configuration information.

This allows a black hat (e.g. the NSA) to modify the results sent to the 
client, and the client has no way to verify the results have not been 
tampered with.

This could even allow the black hat to act as a proxy for quite some 
time and the client may never know.

This vulnerability is not something that can just be patched without 
breaking most auto-configuration.

I have what I think is a solution to the problem, but I think it needs 
further review - and it needs someone who actually has the right 
contacts in the software and hosting worlds to get it implemented.

That's not me, I don't really like most people and the feeling tends to 
be mutual. Anti-social issues aside, I do think this needs to be fixed.


has what I think would be the easiest solution while keeping the ability 
to auto-configure stuff.