Feature #6156
Upstream secure Thunderbird autoconfig wizard
100%
Description
Get these patches merged in Thunderbird upstream.
Upstream merge request: https://bugzilla.mozilla.org/show_bug.cgi?id=971347
Files
Subtasks
Bug #11450: Update the Icedove account setup wizard security patches according to what'll be decided upstream | Resolved | 100 |
|||
Bug #15788: Rethink our patches with Thunderbird 60 | Resolved | 100 |
|||
Bug #15790: Thunderbird autoconfig does not respect the ISP's hints | Rejected | 0 |
|||
Feature #16147: Re-import secure-account-creation patch series for thunderbird | Rejected | 0 |
Related issues
Related to Tails - |
Resolved | ||
Related to Tails - |
Resolved | ||
Related to Tails - |
Rejected | 2018-03-07 | |
Related to Tails - |
Resolved | ||
Related to Tails - Bug #16856: Use non-Riseup email for Thunderbird automated tests | Confirmed | ||
Related to Tails - Bug #17277: Make the Thunderbird autoconfig wizard not trust the result of DNS requests | In Progress | ||
Blocked by Tails - |
Resolved | 2016-06-17 | |
Blocked by Tails - |
Resolved | 2017-01-17 | |
Blocks Tails - Feature #16209: Core work: Foundations Team | Confirmed |
History
#1 Updated by intrigeri 2013-07-19 07:08:07
- Parent task set to
Feature #5663
#2 Updated by intrigeri 2013-07-19 07:08:32
- Type of work changed from Wait to Code
#3 Updated by intrigeri 2013-10-03 11:09:33
- Type of work changed from Code to Upstream
- Starter set to No
#4 Updated by intrigeri 2013-10-03 11:13:21
- Subject changed from upstream secure Icedove autoconfig wizard to Upstream secure Icedove autoconfig wizard
#5 Updated by intrigeri 2014-08-12 13:43:45
- Category set to 212
#6 Updated by intrigeri 2014-09-22 11:40:34
- Type of work changed from Upstream to Code
#7 Updated by BitingBird 2015-01-02 19:29:41
I think the type of work is communicate, since at least in Debian I see no big report, but I’m not sure so I let it as is for now.
#8 Updated by intrigeri 2015-01-03 11:17:49
- Type of work changed from Code to Communicate
#9 Updated by intrigeri 2015-05-29 12:36:58
- Assignee deleted (
None) - Target version set to 246
#10 Updated by intrigeri 2015-05-29 12:37:10
- blocks #8668 added
#11 Updated by intrigeri 2015-05-29 12:40:03
- related to
Feature #6150: Help Tor people upstream the Torbirdy patches added
#12 Updated by sajolida 2015-11-27 04:45:24
- Target version changed from 246 to Tails_2.0
#13 Updated by Anonymous 2015-12-22 06:27:36
- Target version changed from Tails_2.0 to Tails_2.4
#14 Updated by Anonymous 2015-12-22 07:00:25
Setting realistic target version to 2.4, maximum latest delay would be 2.5.
#15 Updated by intrigeri 2015-12-22 09:33:04
Today we discussed that this should be started during the 2.2 cycle, span over the 2.3 and 2.4 ones. I would suggest setting a milestone that matches when you should start working on it, instead of one that matches when it should be finished, to prevent any risk that it’s forgotten until 2.3 is out. Your call, of course :)
#16 Updated by Anonymous 2016-01-05 15:06:50
- related to
Feature #7064: Update our plans for securing Icedove's autoconfig wizard wrt. recent developments added
#17 Updated by Anonymous 2016-01-09 18:13:39
- Status changed from Confirmed to In Progress
- % Done changed from 0 to 10
#18 Updated by Anonymous 2016-01-09 18:19:53
The current plan is to send our patches with a text to Torbirdy people for a first review with ETA Jan 24th 2016.
Then ideally we would be able to send them to the Thunderbird people and also update the corresponding TPO ticket. I’d also open a Debian bug with the same patches and link it to the upstream bug, so eventually the patches could be included in Debian directly - until upstream has them released.
#19 Updated by Anonymous 2016-02-27 12:39:55
I’ve posted the patches upstream today.
See https://bugzilla.mozilla.org/show_bug.cgi?id=669238 and https://bugzilla.mozilla.org/show_bug.cgi?id=971347
#20 Updated by intrigeri 2016-02-27 12:51:43
> I’ve posted the patches upstream today.
Great! A link would be useful next time we need to report about the progress of this task :)
#21 Updated by anonym 2016-05-16 05:34:30
- blocks deleted (
)Feature #6154: Secure the Icedove autoconfig wizard
#22 Updated by Anonymous 2016-05-24 13:13:42
- blocks
Bug #11481: Alert TorBirdy devs about Thunderbird upstream patch prefs added
#23 Updated by Anonymous 2016-05-24 13:45:29
- Target version changed from Tails_2.4 to Tails_2.5
Unlikely that this will happen in time for 2.4. Postponing.
#24 Updated by Anonymous 2016-06-07 02:14:36
- % Done changed from 10 to 20
There has been quite some progress. Our patches have all been reviewed now and only code style improvements were asked for as a result of this review. This makes me think that we’re nearly there! We’ll work on a modified patchset taking upstream’s remarks into account later this week.
#25 Updated by intrigeri 2016-06-07 02:18:30
> There has been quite some progress. Our patches have all been reviewed now and only code style improvements were asked for as a result of this review. This makes me think that we’re nearly there! We’ll work on a modified patchset taking upstream’s remarks into account later this week.
Excellent news, glad to read that!
#26 Updated by Anonymous 2016-06-10 06:19:54
We’ve resubmitted a new patchset today which was thouroughly tested by anonym. Waiting for a reply from upstream now. Let’s hope for the best.
#27 Updated by Anonymous 2016-08-02 04:39:19
- Target version changed from Tails_2.5 to Tails_2.6
#28 Updated by Anonymous 2016-08-18 12:19:18
- blocked by
Bug #11536: Icedove autoconfiguration is broken for ISPs serving a OAuth config added
#29 Updated by intrigeri 2016-08-31 05:11:56
- blocks
Bug #11450: Update the Icedove account setup wizard security patches according to what'll be decided upstream added
#30 Updated by intrigeri 2016-08-31 05:13:51
- blocked by deleted (
)Bug #11450: Update the Icedove account setup wizard security patches according to what'll be decided upstream
#31 Updated by Anonymous 2016-09-15 07:47:42
I’ve submitted the latest patchset today. Waiting for upstream again now.
#32 Updated by anonym 2016-09-20 16:53:32
- Target version changed from Tails_2.6 to Tails_2.7
#33 Updated by Anonymous 2016-10-04 13:19:30
- Deliverable for deleted (
268)
Repinged upstream today.
I think that this ticket’s deliverable has been accomplished “try hard to upstream the icedove autoconfig wizard”. Thus, we’ll continue to keep track of it, but not as part of the deliverable.
#34 Updated by Anonymous 2016-10-04 13:21:21
- Parent task deleted (
)Feature #5663
#35 Updated by intrigeri 2016-10-04 16:52:54
> I think that this ticket’s deliverable has been accomplished “try hard to upstream the icedove autoconfig wizard”. Thus, we’ll continue to keep track of it, but not as part of the deliverable.
Woohoo! \o/
#37 Updated by Anonymous 2016-11-09 16:00:42
- Target version changed from Tails_2.7 to Tails_2.9.1
postponing
#38 Updated by anonym 2016-12-14 20:11:18
- Target version changed from Tails_2.9.1 to Tails 2.10
#39 Updated by Anonymous 2017-01-17 15:15:52
- Target version changed from Tails 2.10 to Tails_2.12
#40 Updated by intrigeri 2017-04-20 07:09:15
- Target version changed from Tails_2.12 to Tails_3.1
I suspect that you folks will have other, more urgent things to do until 3.0 is out, so setting target version to 3.1.
#41 Updated by Anonymous 2017-09-05 19:40:06
- Target version changed from Tails_3.1 to Tails_3.3
#42 Updated by anonym 2017-11-15 11:30:48
- Target version changed from Tails_3.3 to Tails_3.5
#43 Updated by intrigeri 2018-01-07 15:50:37
I see lots of discussion happening on the corresponding upstream bug in the past three months. Someone posted an updated patch and somewhat aggressively engaged with upstream. Upstream reacted (very understandably) somewhat defensively. If we still plan to get this merged some day, I think we need to intervene and help de-escalate the situation. anonym & u, did you follow this discussion, do you plan to get involved? If not, please let me/us know that you need help there: I don’t think we can afford doing nothing about it on the long term, the risk of having to ship our patched Thunderbird package forever is just too great. Thanks in advance!
#44 Updated by Anonymous 2018-01-15 11:23:06
See https://labs.riseup.net/code/issues/6156#note-35 for why I am unblocking #8668.
#45 Updated by Anonymous 2018-01-15 11:23:21
- blocked by deleted (
#8668)
#46 Updated by Anonymous 2018-01-15 11:25:45
I will take care of the upstream discussion.
However, our patches have not been merged because we were unable to provide a version that worked in Thunderbird’s test suite (which we did not manage to run). This is Bug #12151.
#47 Updated by Anonymous 2018-01-15 11:27:15
- blocked by
Bug #12151: Get Thunderbird's test suite running and test our patches added
#48 Updated by anonym 2018-01-23 19:52:30
- Target version changed from Tails_3.5 to Tails_3.6
#49 Updated by Anonymous 2018-02-26 15:11:14
I replied on the bug - there was a lot of activity recently and it seems like people are still willing to have these patches reviewed and incorporated into Thunderbird. See https://bugzilla.mozilla.org/show_bug.cgi?id=971347
#50 Updated by intrigeri 2018-02-27 11:11:19
> it seems like people are still willing to have these patches reviewed and incorporated into Thunderbird.
I wonder who these people are and whether I missed something because my understanding of the situation is very different, and still the same as Feature #6156#note-43 (nothing happened since then anyway until your own comment): among the two Thunderbird maintainers who commented, one nack-ed and the other one has strong doubts. I see someone else (alta88) arguing and insisting in favour of our patches but I’m not sure that will help much, quite the opposite IMO.
#51 Updated by Anonymous 2018-02-27 15:15:23
intrigeri wrote:
> > it seems like people are still willing to have these patches reviewed and incorporated into Thunderbird.
>
> I wonder who these people are and whether I missed something because my understanding of the situation is very different,
Looks like it.
> and still the same as Feature #6156#note-43 (nothing happened since then anyway until your own comment): among the two Thunderbird maintainers who commented, one nack-ed
I’m not sure what “nack’ing” is, may you please explain that?
> and the other one has strong doubts.
This one says “Of course SSL/TLS connections would be preferred” and “I see the patch add proxy support in some of the paths, maybe at least that part could be accepted?”. So the way you phrase it (“strong doubts”) seems slightly pessimistic to me.
> I see someone else (alta88) arguing and insisting in favour of our patches but I’m not sure that will help much, quite the opposite IMO.
Absolutely, but I sincerely hope Thunderbird people can make the distinction between this person, us, and the problem we’re trying to solve.
#52 Updated by intrigeri 2018-02-27 16:03:18
> I’m not sure what “nack’ing” is, may you please explain that?
Sure, sorry! ACK = agreeing/approving != NACK = disagreeing/rejecting
>> and the other one has strong doubts.
> This one says “Of course SSL/TLS connections would be preferred” and “I see the patch add proxy support in some of the paths, maybe at least that part could be accepted?”. So the way you phrase it (“strong doubts”) seems slightly pessimistic to me.
I think we’ll have to agree to disagree on this one :)
>> I see someone else (alta88) arguing and insisting in favour of our patches but I’m not sure that will help much, quite the opposite IMO.
> Absolutely, but I sincerely hope Thunderbird people can make the distinction between this person, us, and the problem we’re trying to solve.
+1
#53 Updated by Anonymous 2018-03-02 15:59:42
- Assignee set to anonym
TB now implements a cool feature which display a big red warning to users when they use insecure configs. Great! So all we have to do now, and anonym will do that next week, is to reduce our patches to the “prefer SSL over plaintext” and proxy parts and submit them again for review. Yaaay!
#54 Updated by anonym 2018-03-07 15:02:04
BTW, I’ve noticed that the Mozilla configuration database (https://live.mozillamessaging.com/autoconfig/v1.1/) often presents a CAPTCHA when the request originates from Tor => that method fails => Bug #15387
#55 Updated by bertagaz 2018-03-14 11:32:06
- Target version changed from Tails_3.6 to Tails_3.7
#56 Updated by anonym 2018-04-02 13:31:59
- File secure-account-creation.tar.gz added
- Subject changed from Upstream secure Icedove autoconfig wizard to Upstream secure Thunderbird autoconfig wizard
- Assignee deleted (
anonym)
Sorry for the delay, but this turned out quite a bit more work than expected. In the end, I actually god Thunderbird’s own automated test suite to work and now it passes with all patches applied!’
Below you’ll find comments I’d like to prove to the reviewer. However, I’m unsure of what to do about patch 0018 now. The “red warning” is enough, IMHO, and if we and/or TorBirdy use the pref it adds, then most email over .onion
-space will be impossible since they rely on end-to-end encryption/authentication provided by the .onion
and do not provide SSL for the email protocols. If you agree, just remove patch 0018 and its comment below.
The previous approach of “one big patch” clearly failed, so let’s try an incremental approach with one patch per commit (besides now there are several bugfixes that IMHO deserves their own commits). Please review and merge this series up to the patch you are happy with; each commit is atomic and at most depends on earlier patches, so this is safe and makes sense, and we can return to the remaining patches later. In fact, in most cases if you dislike a particular patch you could just skip that one and at worst get a simple conflict in mailnews/mailnews.js when importing a later patch.
Here I provide some extra patch comments for the reviewer:
0001-Fix-the-prefilled-hostnames-for-manual-edit.patch
0002-Invalidate-config-when-restarting-autoconfiguration.patch
0003-Remove-buggy-debug-code.patch
0004-Fix-issue-when-mailnews.auto_config_url-is-empty.patch
0005-Document-that-mailnews.-auto_config-mx_service-_url-.patch
0006-Comment-pref.patch
These are bugfixes and minor improvements which I suspect you’ll want to merge right away.
0007-Prefer-fetched-configurations-using-SSL-over-plainte.patch
There’s quite some effort made to prefer SSL in other places, so this is arguably a bugfix as well.
0008-Add-SOCKS-proxy-support-for-account-autoconfiguratio.patch
Fixes: https://bugzilla.mozilla.org/show_bug.cgi?id=669238
0009-Generalize.patch
0010-Fix-outdated-error-handling.patch
0011-Improve-logging-for-fetchConfigFromISP-during-autoco.patch
These are nice on their own, but builds up to the next patch:
0012-Fetch-ISP-configuration-using-SSL-if-possible.patch
This opportunistic attempt to prevent MitM can easily be worked around (attacker blocks https, thunderbird downgrades to http and the attacker wins) but is better than nothing, and builds up to:
0013-Add-pref-to-force-SSL-for-ISP-fetch-during-autoconfi.patch
This adds an opt-in pref that fixes the above MitM completely.
0014-Add-pref-for-whether-we-accept-OAuth2-during-autocon.patch
0015-Use-overridden-user-agent-for-HTTP-s-during-autoconf.patch
0016-Add-pref-for-each-guess-timeout-during-autoconfigura.patch
These allows TorBirdy to greatly improve the autoconfiguration UX when using Tor.
0017-Improve-logging-of-guess-instances-during-autoconfig.patch
This one helped me debugging 0015 and 0016.
0018-Add-pref-for-whether-we-accept-plaintext-protocols-d.patch
Given the “red warning” that appears whenever a user tries to accept a plaintext protocol (see comment 127), this patch is not critical for us any more.
FWIW, I’ve seen the test-mail-account-setup-wizard.js test pass with all these patches applied.
#57 Updated by anonym 2018-04-03 17:49:50
- Feature Branch set to feature/6156-thunderbird-secure-auto-config
#58 Updated by Anonymous 2018-04-04 11:33:34
I added those to the upstream bug today.
#59 Updated by Anonymous 2018-04-05 11:59:24
- Assignee set to anonym
Forwarded Ben Buksch’s review to anonym. Reassigning this ticket to you - feel free to reassign it to me later on.
#60 Updated by bertagaz 2018-05-10 11:09:01
- Target version changed from Tails_3.7 to Tails_3.8
#61 Updated by intrigeri 2018-05-25 13:31:52
- Target version changed from Tails_3.8 to Tails_3.10.1
#62 Updated by intrigeri 2018-08-15 06:46:37
I think Bug #15788 should be done first thing before any more work is put into this project :)
#63 Updated by intrigeri 2018-08-16 17:23:56
- Description updated
#64 Updated by intrigeri 2018-08-16 17:43:32
- Assignee deleted (
anonym) - QA Check set to Info Needed
Ulrike, one question for you at the bottom :)
The recurring cost of maintaining & building custom Thunderbird packages a few times a year keeps piling up and it does not help make the FT sustainable. So at the summit I’ll nominate this ticket for the roadmap + FT work, on the ground that it’s become a serious maintainability hinderance and we’ve been waiting too long for the last mile to be walked based on good will and free time.
So let’s sum up what we have. First, it looks like the patches are in good way to be upstreamed. We’re pretty close! \o/
Second, things got more interesting recently and we now have three different patchsets:
- anonym’s rebase of his original patchset, done in March 2018, on top of the
upstream/60.0_b2
from Debian’s Vcs-Git, that lives in thesecure_account_creation-60.0_b2
branch of our Git repo; assuming kibi’s refresh (see below) is OK, I think this one is merely of historical interest at this point - kibi’s refresh of the aforementioned patchset so that it applies on 60.0b10; that’s what we currently have as a quilt patch series on our
tails/stretch
packaging branch and that was used to builddebian/1%60.0_b10-1_deb9u1.0tails1
which whe’ll ship in Tails 3.9~rc1; a more Git-friendly version lives on thesecure_account_creation-60.0_b10
branch, based on theupstream/60.0_b10
tag from Debian’s Vcs-Git - anonym’s improved patchset, that takes into account the last review done upstream in April 2018:
- it was mistakenly based on Thunderbird 52.7 so probably needs a serious refresh
- it is probably better (as in, closer to something that can be upstreamed eventually) than the other patchsets
- AFAICT it was never published, let alone submitted upstream, so far; 4 people have access to it with the attached comments that explain things: anonym, Ulrike, kibi and myself (the 2 latter in
<335bfd60-7be2-b0e3-9fbd-8a58db17e10d
451f.org>@). Apparently anonym wanted the patches and the associated comments to go on the upstream bug report, so perhaps I could attach all this here to start with, so at least the material to submit is not kept secret, but there may be a reason why this did not happen yet. Ulrike?
#65 Updated by Anonymous 2018-08-17 06:25:31
> AFAICT it was never published, let alone submitted upstream, so far; 4 people have access to it with the attached comments that explain things: anonym, Ulrike, kibi and myself (the 2 latter in <335bfd60-7be2-b0e3-9fbd-8a58db17e10d
451f.org>@). Apparently anonym wanted the patches and the associated comments to go on the upstream bug report, so perhaps I could attach all this here to start with, so at least the material to submit is not kept secret, but there may be a reason why this did not happen yet. Ulrike?
It has not happened because it’s not based on the current development version of TB, so these patches are very likely to be rejected - something I’d like to avoid, after all the complicated discussions we’ve gone through with upstream until now. And I was still expecting anonym to rebase the patches on a newer version of TB…
But yes, indeed, you can attach the patches here, and we can improve upon them from this point on. Please not the comments on the upstream bug: some patches have already been reviewed and are considered mergeably by them. If possible I’d like to add this in a comment somewhere, so that we don’t redo work that has already been done.
#66 Updated by Anonymous 2018-08-17 06:25:45
- Assignee set to intrigeri
- QA Check deleted (
Info Needed)
#67 Updated by Anonymous 2018-08-17 06:27:53
I would love us to rework on these patches and resubmit them upstream for good. Let me know if you need my help for this or if FT will handle it from this point on.
#68 Updated by Anonymous 2018-08-17 06:29:06
- related to
Bug #15387: The Mozilla auto_config database requires an unusable CAPTCHA for Torified requests added
#69 Updated by intrigeri 2018-08-17 12:28:48
> Let me know if you need my help
Anyone moving this forward is warmly welcome :)
> for this or if FT will handle it from this point on.
We’ll see at the summit. In the current state of things I doubt the FT has the budget to do that.
#70 Updated by intrigeri 2018-09-14 11:26:06
u wrote:
> But yes, indeed, you can attach the patches here, and we can improve upon them from this point on.
Note to myself: once this is done, set target version to 2019 and reassign to lamby, as per summit 2018.
#71 Updated by lamby 2018-09-14 13:50:30
Again, Did we discuss this? I don’t recall doing so, thus just wondering if it’s a mistake to assign it over to me specifically? (If it’s “to be discussed” feel free to assign back - I note the “2019” target.)
#72 Updated by intrigeri 2018-09-14 14:04:23
> Again, Did we discuss this?
Yes (but very briefly!) during the FT meeting when we were brainstorming the tasks we want to add to our roadmap for the next years. Here’s what I remember: IIRC kibi expressed interest because he’s already worked on our Thunderbird patched package, then I asked “how is your JavaScript”, his answer suggested it would be better to assign the task to someone else, and after a show of hands you mentioned your JavaScript was OK. I probably jumped too fast to conclusions: the fact your JS is OK does not necessarily imply that you want to work on this specific task. Sorry! Either way, I think there’s quite some info I need to share with you before you can tell whether you want to take it or not, so let’s take this assignment with a grain of salt. If you prefer, feel free to de-assign yourself until we’ve had this conversation :)
#73 Updated by intrigeri 2018-09-14 14:04:54
- Assignee changed from intrigeri to lamby
#74 Updated by intrigeri 2018-10-16 15:40:56
- Assignee changed from lamby to anonym
- Target version deleted (
Tails_3.10.1)
#75 Updated by intrigeri 2019-02-11 10:48:18
- blocks Feature #16209: Core work: Foundations Team added
#76 Updated by intrigeri 2019-02-11 10:50:10
- blocks
Feature #15507: Core work 2019Q1: Foundations Team added
#77 Updated by intrigeri 2019-02-11 10:50:13
- blocked by deleted (
Feature #16209: Core work: Foundations Team)
#78 Updated by Anonymous 2019-02-28 17:36:05
anonym has rebased our patches - once again - on the current code base of Thunderbird. I’ve posted them all to the bug at https://bugzilla.mozilla.org/show_bug.cgi?id=971347 (also see https://bugzilla.mozilla.org/show_bug.cgi?id=971347#c197 for explanations).
Let’s hope that’s the last time we need to do that.
#79 Updated by intrigeri 2019-03-04 11:26:37
- Target version set to Tails_3.13
This probably won’t be completed in time for 3.13 but let’s make it clear that this should be on top of your list of non-urgent tasks.
#80 Updated by intrigeri 2019-03-11 14:33:50
- Target version changed from Tails_3.13 to Tails_3.14
#81 Updated by intrigeri 2019-03-12 14:20:05
- blocks Feature #16209: Core work: Foundations Team added
#82 Updated by intrigeri 2019-03-12 14:20:08
- blocked by deleted (
)Feature #15507: Core work 2019Q1: Foundations Team
#83 Updated by intrigeri 2019-03-12 14:47:31
- blocked by deleted (
)Bug #11481: Alert TorBirdy devs about Thunderbird upstream patch prefs
#84 Updated by sajolida 2019-03-14 17:04:42
- related to #15885 added
#85 Updated by Anonymous 2019-03-27 13:28:26
Thundebird people are organizing a bugday.
They have a document where they collect bugs to focus on: https://docs.google.com/document/d/1jQfOIuu_9KYPw_hfrPjwGrhQWKv-bzBDr214_tstMbc/edit#
I’ve added “our” bug there.
#86 Updated by intrigeri 2019-04-05 13:02:03
- Target version changed from Tails_3.14 to 2019
#87 Updated by intrigeri 2019-04-12 14:46:52
- Description updated
#90 Updated by anonym 2019-05-09 17:56:59
Big news! Most patches have been upstreamed!
Summary of upstreamed patches
You can look here for reference
- Minor stuff:
- Improve logging of guess instances.
- Add comment for pref.
- Invalidate config when restarting autoconfiguration.
- Tor compatibility
- Add pref for setting the autoconfiguration guess timeout.
- Add SOCKS proxy support for account guessing.
- Security
- Also fetch ISP configuration using SSL.
- New patch! Add pref for guessing only SSL configs. (This is ~half of “Add pref for whether to accept plaintext protocols during autoconfiguration” that we will discuss below)
Patches that are still not upstreamed
Make use of non-SSL Exchange AutoDiscover methods optional.
Thunderbird very recently (60.6.0) added a new autoconfig method, Microsoft’s AutoDiscover, which use two secure mehtods and one insecure HTTP fallback. On short notice I tried to secure it (i.e. only do the secure methods), but upstream didn’t like it (“it breaks the protocol”).
I propose we just disable this method entirely (mailnews.auto_config.fetchFromExchange.enabled
→ false
).
Add pref for whether we accept OAuth2 during autoconfiguration.
This is pretty bad, UX-wise, which can be demonstrated in current Tails:
- Start Thunderbird
- Quit autoconfig wizard
- Flip
mailnews.auto_config.account_constraints.allow_oauth2
totrue
- Start autoconfig wizard for $account@gmail.com (must be a valid one that you have the password for)
- Pick one of the two results (imap or pop, it doesn’t matter) you get; due to its priority Mozilla’s database will win, and its first pick is OAuth2 so that’s what you get (it’s not displayed unless you click the “Manual config” button)
- A browser window will open, asking you to login to the Google account, so enter $account@gmail.com and its password
- Observe the error message stating that you need to enable JavaScript
- Closing that browser window brings you back to the result screen from step 5, but now it says “the username or password is wrong”.
You are stuck in 8: autoconfig will bring you exactly here again no matter what you try. Your only option is to click “Manual config” and change authentication from “OAuth2” to “Normal password” (both for pop/imap and smtp). Good luck! :)
This breaks several providers, namely these Mozilla database entries that all employ OAuth2 as its first authentication option: gmail.com, google.com, googlemail.com, bk.ru, corp.mail.ru, inbox.ru, jazztel.es, list.ru, mail.ru. In addition to this any provider not in Mozilla’s database that serve a .well-known
config with OAuth2 first is also affected.
Add pref for whether to accept plaintext protocols during autoconfiguration.
This pref did two things:
- When fetching configs, discard all configs using plaintext protocols
- When guessing a config, only guess ssl protocols
If you look among the upstreamed patches you can see that the “new” patch adds a pref doing 2, so lets focus on 1.
1 is not so bad given that the upstreamed patch that makes us able to only fetch configs over ssl; an active attacked cannot inject a non-ssl config, so the provider must offer it. Let’s say a provider offers only plaintext (I have never seen this in the wild) then when a user accepts its plaintext config the wizard will turn to a bit scary red warning explaining the problem, and requiring a confirmation that the user actually wants to proceed.
Personally I think this is good enough.
Prefer fetched configurations using SSL over plaintext.
In Tails we only fetch over SSL, so this means nothing to us. But it’s a bit unfortunate for all other Thunderbird users. :/
Next steps:
- Agree to just disable Microsoft AutoDiscover.
- Discuss whether we are fine with only half of the “accept plaintext protocols” patch (i.e. the scary red warning is good enough).
- Probably continue as usual (manual patching + attempt to upstream) with the OAuth2 patch.
- …
- Celebrate?
#91 Updated by intrigeri 2019-06-01 05:32:59
- related to deleted (
#15885)
#92 Updated by intrigeri 2019-06-01 05:37:10
- related to
Feature #16771: Upgrade to Thunderbird 68 added
#93 Updated by Anonymous 2019-06-07 13:22:23
During our last meeting we decided that we still want to upstream the OAuth patch and apply anonym’s proposal above, ie.
disable
mailnews.auto_config.fetchFromExchange.enabled → false
and disregard
Prefer fetched configurations using SSL over plaintext.
for Tails.
#97 Updated by anonym 2019-06-19 10:59:21
(12:54:24) intrigeri: anonym: btw, wrt. the Thunderbird patch that they asked to file separately and we were not sure what was going on, I took a look a couple weeks ago, and I think their reply is easy to understand in the context of the commit message of the patch they’re refering to, which was a bit unclear: it felt you were refering to other code that was not submitted yet (which is not the case AFAICT), so they asked to submit that other code.
(12:55:11) intrigeri: anonym: with this context in mind, I think their reply (based on a misunderstanding) makes sense. clarifying the commit message should fix the misunderstanding, hopefully :)
#98 Updated by anonym 2019-06-25 10:36:53
anonym wrote:
> (12:54:24) intrigeri: anonym: btw, wrt. the Thunderbird patch that they asked to file separately and we were not sure what was going on, I took a look a couple weeks ago, and I think their reply is easy to understand in the context of the commit message of the patch they’re refering to, which was a bit unclear: it felt you were refering to other code that was not submitted yet (which is not the case AFAICT), so they asked to submit that other code.
> (12:55:11) intrigeri: anonym: with this context in mind, I think their reply (based on a misunderstanding) makes sense. clarifying the commit message should fix the misunderstanding, hopefully :)
I think I get it. This is the problematic commit message:
Add pref for whether we accept OAuth2 during autoconfiguration.
For many providers JavaScript is required for OAuth2 to work; with it
disabled autoconfiguration then result in a terrible UX (e.g. the web
login fails, has to manually alter the authentication method). Let's
provide a pref that discards OAuth2 configurations so e.g. extensions
that disables JavaScript (like TorBirdy) can provide a workaround.
If I understand correctly the problematic part is “can provide a workaround”. Ben understood it as something involving extra code for this “workaround”, but what I really meant was simply: “can provide autoconfiguration that doesn’t fail get stuck and fail as soon as OAuth is presented as a possible authentication method”.
#99 Updated by Anonymous 2019-06-26 09:19:10
I opened a new bug for the OAuth issue here: https://bugzilla.mozilla.org/show_bug.cgi?id=1561542
#100 Updated by intrigeri 2019-07-06 10:57:31
- related to Bug #16856: Use non-Riseup email for Thunderbird automated tests added
#101 Updated by intrigeri 2019-11-30 19:35:38
- related to Bug #17277: Make the Thunderbird autoconfig wizard not trust the result of DNS requests added
#102 Updated by hefee 2019-12-13 15:24:47
@anonym: what is the current status of this issue? As the last notice was six months ago, it would be great to know the current state to decide how to go on.
#103 Updated by anonym 2019-12-16 12:43:08
The only remaining thing is this: https://bugzilla.mozilla.org/show_bug.cgi?id=1561542
The reviewer is hesitant (yay…) but raised a possibly interesting point. Let me go through his full comment:
Magnus wrote:
> Setting this pref opens up other problems though. You may have to set your (gmail etc) account to use “less secure applications”, and without that you won’t really be able to log in + no good indications of why.
Fair point, although of course still infinitely better than the current situation.
> Maybe when we have several options, we could have them listed, and let the user change them if required.
This is already the case: you can click “Manual config” and then select any of auth methods from the two (IMAP/POP + SMTP) dropdoxes, but IMHO this does not qualify as a solution at all. This is not the path we want to take for auto-configuration.
> And/or you could consider temporarily enabling the js during oauth.
Huh, yeah, maybe? This would give the ideal UX (e.g. GMail should work out of the box, without having to configure your account to accept “less secure applications”) while only exposing Thunderbird to JavaScript shipped from hosts the user already trusts their email to (FWIW). If we also lock down JavaScript a bit (disable JIT etc) I think I’d be pretty confident. OTOH I don’t think this should be default behavior — others that disable JavaScript might not appreciate this and would then want a always_allow_javascript_for_oauth
pref.
Thoughts?
I also got an alternative idea for the “old” patch: instead of introducing yet another pref we could just check if JavaScript is disabled, and if so also disable OAuth2.
#104 Updated by intrigeri 2019-12-28 18:37:19
Hi,
> The only remaining thing is this: https://bugzilla.mozilla.org/show_bug.cgi?id=1561542
+ ensuring that our decisions from Feature #6156#note-93 are tracked somewhere: for example, it seems that back then we decided to drop a couple patches, but we still carry them and segfault had to refresh them for Thunderbird 68. Will you file tickets for these things? If not, I’m happy to do this with my FT lead hat on.
I’ve no idea about what is cheap or expensive to implement so some of my ideas below may be too wild. You tell me! :)
> The reviewer is hesitant (yay…) but raised a possibly interesting point. Let me go through his full comment:
tl;dr: I think having a pref that enables JS for OAuth2, even if it’s otherwise globally disabled, is the best lead we have. It requires further investigation but it would 1. avoid some UX nightmares (the current one, and the one the patch replaces it with); 2. avoid having to write more code to mitigate these nightmares.
> Magnus wrote:
>> Setting this pref opens up other problems though. You may have to set your (gmail etc) account to use “less secure applications”, and without that you won’t really be able to log in + no good indications of why.
> Fair point, although of course still infinitely better than the current situation.
That’s a strong statement. I understand you’re saying that the resulting UX, in this situation, is infinitely better than the one u reported about when filing that ticket. Is this what you meant?
I did not test myself but what Magnus writes suggests to me that, from a user’s perspective, it’s essentially just as bad: at the end of the day, you can’t read your email and you have no idea what to do to fix that. So I don’t really understand what’s “infinitely better”. Maybe the path to failure is less painful? Anyway, this may not matter much, see below.
>> Maybe when we have several options, we could have them listed, and let the user change them if required.
> This is already the case: you can click “Manual config” and then select any of auth methods from the two (IMAP/POP + SMTP) dropdoxes, but IMHO this does not qualify as a solution at all. This is not the path we want to take for auto-configuration.
I don’t understand what the “several options” are in this context.
It looks like there are two different use cases:
- Folks who have never used their GMail account in Tails before: they’ll have to log into their GMail account in a web browser, and do $stuff there, in order to get auto-config working. If we don’t tell them they need to do that at the right time, auto-configuration does not seem to be an accurate description of their UX :/
- Folks who have already configured their GMail account for “less secure applications”: in this case, I understand your patch does the right thing.
Problem is, Thunderbird can’t tell in which situation it is without trying, right?
Here as well, it may not matter much, see below.
>> And/or you could consider temporarily enabling the js during oauth.
> Huh, yeah, maybe? This would give the ideal UX (e.g. GMail should work out of the box, without having to configure your account to accept “less secure applications”) while only exposing Thunderbird to JavaScript shipped from hosts the user already trusts their email to (FWIW). If we also lock down JavaScript a bit (disable JIT etc) I think I’d be pretty confident.
IIRC, Torbirdy disabled JavaScript to protect against tracking and various kinds of infoleaks. These reasons certainly apply to HTML email and feeds coming from random places, but indeed, it could be that they don’t apply in a context (OAuth2) where the user is logging in anyway. IMO this requires a more detailed analysis, but I’m optimistic, and I encourage you to dive deeper in this direction :)
> OTOH I don’t think this should be default behavior — others that disable JavaScript might not appreciate this and would then want a always_allow_javascript_for_oauth
pref.
Indeed, having JavaScript running when one has explicitly set the non-default pref("javascript.enabled", false);
feels wrong.
> I also got an alternative idea for the “old” patch:
I don’t know what’s the “old” patch, so bear with me if I got the following wrong.
> instead of introducing yet another pref we could just check if JavaScript is disabled, and if so also disable OAuth2.
I understand it makes thing a bit more automatic outside of Tails (one still has to tweak their GMail account, but at least that’s one less pref they have to learn about and to set), which seems like a very good idea to me! Software discovering how to behave by itself seems better, in principle, than adding prefs :) But I still prefer the idea of making OAuth2 Just Work™ even when JS is disabled globally.
In the context of Tails, it would have no impact (neither good nor bad) on the UX, right?
#105 Updated by anonym 2020-02-11 15:52:38
- Target version changed from 2019 to 2020