Could Thunderbird's connection be hacked when browsing?

[Redukos]

Hello!

I'd like confirmation that my fears are stupid.

If I keep Thunderbird open and it connects to email server, while I am also browsing different sites with web browser, is there a possibility some of those sites, cookies or whatever bad might be on them, can read or steal the email server password?

As Thunderbird connects to my email server and any of those sites I browse could see that password and hack to my email?

I am very grateful for any help!

[tanstaafl]

Unless somebody installs malware you don't need to worry about a web site that you are browsing being able to access whats sent or stored by Thunderbird. However, you do need to be aware of the possibility of another tab/window in the browser using cross-site scripting attacks etc. to read the password that you typed in the browser. Rather than trying to figure out who I can trust, I always close any other tabs/windows whenever I need to login in to a web site.

You should configure each account in Thunderbird to use a secure connection (SSL/TLS or StartTLS) to avoid sending a password in clear text over the Internet when it logs in to the mail server. Some ISPs don't support that. In that case I suggest you sign up for a Gmail account and use it instead. Its also safer to use SSL/TLS rather than StartTLS. StartTLS is used to upgrade a normal/insecure connection to a secure connection (everything sent or received on it is temporarily encrypted). If it does that there is no practical difference between the two. However, you are relying upon Thunderbird breaking the connection if it detects the upgrade failed (or that the mail server says it doesn't support StartTLS) to avoid ever sending the password in the clear. It is supposed to detect that (and has in the past) but there is always the chance of a regression bug or some developer deliberately changing the behavior without you knowing it. So, if you have the option, always use SSL/TLS instead.

Thunderbird's new account wizard uses SSL/TLS for Gmail POP/IMAP accounts but uses StartTLS on port 587 for the SMTP server. However, Gmail does support using SSL/TLS on port 465 for the SMTP server.

[Redukos]

Unless somebody installs malware you don't need to worry about a web site that you are browsing being able to access whats sent or stored by Thunderbird. However, you do need to be aware of the possibility of another tab/window in the browser using cross-site scripting attacks etc. to read the password that you typed in the browser. Rather than trying to figure out who I can trust, I always close any other tabs/windows whenever I need to login in to a web site.

Thank you for your reply!

I need to specify this: while I do keep other tabs closed when logging into somewhere, did I get this right that cross-site scripting attack in browser has no effect on Thunderbird if Thunderbird connects at the same time browser has this issue?

You should configure each account in Thunderbird to use a secure connection (SSL/TLS or StartTLS) to avoid sending a password in clear text over the Internet when it logs in to the mail server. Some ISPs don't support that. In that case I suggest you sign up for a Gmail account and use it instead. Its also safer to use SSL/TLS rather than StartTLS. StartTLS is used to upgrade a normal/insecure connection to a secure connection (everything sent or received on it is temporarily encrypted). If it does that there is no practical difference between the two. However, you are relying upon Thunderbird breaking the connection if it detects the upgrade failed (or that the mail server says it doesn't support StartTLS) to avoid ever sending the password in the clear. It is supposed to detect that (and has in the past) but there is always the chance of a regression bug or some developer deliberately changing the behavior without you knowing it. So, if you have the option, always use SSL/TLS instead.

Thunderbird's new account wizard uses SSL/TLS for Gmail POP/IMAP accounts but uses StartTLS on port 587 for the SMTP server. However, Gmail does support using SSL/TLS on port 465 for the SMTP server.

Is this possible to configure inside Thunderbird's own menus?

[tanstaafl]

"I need to specify this: while I do keep other tabs closed when logging into somewhere, did I get this right that cross-site scripting attack in browser has no effect on Thunderbird if Thunderbird connects at the same time browser has this issue?"

Correct.

"Is this possible to configure inside Thunderbird's own menus?"

tools -> account settings.

[Redukos]

"I need to specify this: while I do keep other tabs closed when logging into somewhere, did I get this right that cross-site scripting attack in browser has no effect on Thunderbird if Thunderbird connects at the same time browser has this issue?"

Correct.

THANK YOU! Really, finally getting answer to this is a relief. Now I can keep surfing with Firefox while keep Thunderbird open without fear of loosing my email account's password.

"Is this possible to configure inside Thunderbird's own menus?"

tools -> account settings.

It seems Thunderbird for Mac has a bit different built: Preferences > Account settings.
I have one last question. Can you please check this screenshot and tell me, is this the best setting You described? It seems to be automatic as I have never touched these settings before. Is there something I should change?

[tanstaafl]

That looks fine. However, the issue was with the SMTP server, not the POP/IMAP account server settings. Look at "Outgoing Server (SMTP)" to see those settings. Your configuration is simple since you only have one account.

I have my Gmail SMTP server configured to use OAuth2 as the authentication, SSL/TLS as the connection security, on port 465. You could use normal password instead of OAuth2 if you configure your Google account (using a browser) to "Allow to let less secure apps access your Google account". See http://kb.mozillazine.org/Gmail for more information.

[Redukos]

That looks fine. However, the issue was with the SMTP server, not the POP/IMAP account server settings. Look at "Outgoing Server (SMTP)" to see those settings. Your configuration is simple since you only have one account.

Oh, sorry! Kind of a novice here. This seems fine?

I have my Gmail SMTP server configured to use OAuth2 as the authentication, SSL/TLS as the connection security, on port 465. You could use normal password instead of OAuth2 if you configure your Google account (using a browser) to "Allow to let less secure apps access your Google account". See http://kb.mozillazine.org/Gmail for more information.

I'm not using Gmail for this though.Current mail server has been good so far.
I once tried and Gmail started giving alert, saying it was not safe connection. I see, so that's how you get past the alert.

[tanstaafl]

That seems fine.

[Redukos]

That seems fine.

Thank You so much!

Now I know that it is safe to surf while Thunderbird is open and that my settings are also safe. Two things that ease my natural anxious nature. So again, thank You! It's not often I get so fast and precise answers to my software/tech related questions over the Internet's forums.