Thunderbird 188.8.131.52 was recently released to the world: yet another security release for Thunderbird. Yay, and thanks to all involved! All was well, until news came in through a bug report that one of those included updates is problematic for some users.
Specifically, as part of making Firefox 184.108.40.206, we made a change in how the underlying platform handles SSL certificates. That change was made to increase the privacy of people visiting certain web pages, as documented in this advisory.
The problem is that the switch (asking users to confirm that they want to identify themselves with a certificate) makes sense for web pages, but it doesn’t make sense as implemented for email transactions. There’s a lot more detail in the relevant bug.
Luckily, this problem likely doesn’t affect the vast majority of Thunderbird users. It only affects users who are issued a certificate to secure the communication with the mail server, rather than relying on passwords. With the 220.127.116.11 release, those users end up being asked to confirm the use of the certificate on every connection, which gets to be annoying.
Most of the users affected are likely in large organizations, as they are the ones who tend to issue their own certificates. Luckily, those organizations also often do their own QA before a deployment, so in all likelihood few people will be exposed to the bug.
Getting a fixed Thunderbird 18.104.22.168 out is planned, but we’re trying to figure out how to prioritize this release relative to the other releases.
In the meantime, there is a simple workaround that can be applied per user (revert a preference setting), or, for those deployments using autoconfig, by tweaking the central configuration file.
We could also release a XPI add-on to fix the preference, but that may or many not be easier — feedback welcome.
I’d love to hear from administrators of large Thunderbird installations in particular, as this bug highlighted for me several of the challenges we have in making sure that our processes are aligned with those of large deployments.
I’m also thinking that we need to setup better communication channels with people deploying large installations of Thunderbird (email lists, different blogs, etc.). If you’re involved in large-scale deployments of Thunderbird, email me and let me know your thoughts.