On Firefox, there is the awesome “Certificate Patrol” add-on (https://addons.mozilla.org/en-us/firefo ... te-patrol/) which can be used for certificate pinning. But as of now, the extension (version 2.0.14) is not usable with Thunderbird. It installs and uninstalls without problems, but shows no reaction on e-mail server connections via SSL/TLS. It probably would work if Thunderbird was used to browse web pages, which I don't do on principle, though – I use a securely configured Firefox to do that.
But never mind, as there is a way to use certificate pinning with Thunderbird (for e-mails, updates, etc.) without any extension, as, unlike with Firefox, only a limited number of servers are connected to by Thunderbird. This is how it can be done:
1. In the “Certificate Manager”, prohibit all root authorities, i.e.: select the “Certification Authorities” tab, mark all (mark first, hold the shift key and press arrow down until all marked). Click on the “Edit trust” button (as the “Delete...” button won't work for all) and disable all checked boxes, for each authority. (It's a lot of clicking, which sucks as there is no way of doing it for all at once.) If you later wanted to revert to original configuration, it can easily be done by closing Thunderbird, deleting the cert8.db file in your TB profile and restarting TB – the file will be re-created with default configuration. See https://wiki.mozilla.org/CA:UserCertDB# ... e_Settings for info.
2. Let TB connect to your IMAP/POP3 (and later the sending server) – TB will show an invalid certificate warning (as there are no root authorities to verify it). Accept that certificate and you are done. Now, in the “Server” tab of the “Certificate Manager” you'll see your configured certificate and server, such as e.g. “imap.gmx.net:433”. (Other servers in that tab are the ones disabled by Mozilla, no need to configure anything there.) You'd also get the warning when the cert gets replaced, which you should not accept, of course. (Hint: Check under “Server” first if the old cert is e.g. about to expire, or was released by the same authority as the new, so that your mail server just uses several certs. Or you might be an unlucky customer of a service using several completely unrelated certs. Or the cert was replaced by an MITM.)
3 Add Mozilla update servers as well: Search for and run updates of TB and used add-ons. While doing that, check for certificate errors in the Error Console of TB and add exceptions for the respective servers to the “Certificate Manager”. (Click the “Add exception...” button, enter the server, click “Download certificate” and add a permanent exception.) That should be following servers (as of TB version 17.0.5):
aus3.mozilla.org:443 (used for search for updates for TB)
versioncheck.addons.mozilla.org:443 (used for search for updates for add-ons)
addons.mozilla.org:443 (used for download of details to found add-on updates, if one clicks on “show details” (or so) to the respective found update)
addons.cdn.mozilla.net:443 (used for download of add-on updates)
possibly another server used for download of TB updates (can be checked in about:config) – I can't tell, as I don't use the user (i.e. non-admin) account, on which I configured the cert pinning, to download and install updates. And I disabled the use and the service of the Mozilla Maintenance Service for security reasons.
Note: If you use RSS/Atom feeds over HTTPS, you might need to add respective servers too. I don't, so I don't know if TB will show a cert warning window as with e-mail servers, or just log an error in the Error Console as with the update servers. But it should be one of those, so that either point 2 or point 3 above applies.
Hint to Firefox: It would also be useful to pin the same Mozilla servers as in point 3 above in Firefox as well. As the “Certificate Patrol” add-on does not “patrol” them.
Hint to importance of certificate pinning in general and pinning of (Mozilla) update servers especially: If you are not sure if that is important, notice the already existing blocked (by Mozilla) certificates for “addon.mozilla.org”, “mail.google.com” and others in the “Server” tab of the Certificate Manager of Thunderbird and Firefox. And that are just the ones which have come out into the light. And see here: http://www.economist.com/blogs/babbage/ ... security-0 (but you probably have already known that, dear fellow traveler). As has been widely publicized, the CA system is broken. And I see certificate pinning on the client side an easy fix to that – no need to use or trust any third-party voucher, nor waste time, bandwidth or give up privacy asking the voucher for cert validity. And self-signed and/or expired certs work just as well (so, no need to pay anyone for a cert if you have a server either). Only little manual research is needed when a cert changes (e.g. legitimately), or on a first-time access to (i.e. cert pinning of) a site whose connection security is critical to you: check what cert you see using a proxy – e.g. on https://www.ssllabs.com/ssltest/index.html (or others) or TOR browser, via VPN, etc.
Hope this helps.
P.S.: A principle similar to the certificate pinning is the “public key pinning” - see e.g. http://ssl.entrust.net/blog/?p=1752 – where not the whole certificate, but only its public key is pinned.
