Thunderbird 78 security warning if try to D/L Unseen mail

[phkhgh]

If anyone has experience / knowledge if there's anything I can really do about latest problem w/ Unseen.is (name may've changed), that doesn't introduce security risks, chime in. Or it may be time to find a new provider. I read a lot (of forum plants?) saying Proton is pretty good. I looked at it pretty closely 6 - 8 mo ago. Even the lowest paid level was quite affordable & seemed to have enough for avg home users. Folks claim their system is very stable (can't say that about Unseen.is). I forget if Proton allows alias accts or how many.

Newest problem happened around the time of updating to Tb 78 (clean install / extraction of Mozilla's vers. in Linux). BUT, the mail provider may be at fault. Did Unseen just change part of their mail server name & didn't tell users? I've tried several ways listed on their site to contact support & none worked. I think they've changed contact / support addresses, links & just don't mention it.

I don't know what's going on w/ provider Unseen.is - in Iceland (or they used to use mail.unseen.is).
Now they seem to have changed the country code on most of their website & mail servers, to use .tw (Taiwan). Why Taiwan - long way from Iceland? When I fetch mail, Tb gives warning:
https://imgur.com/qS370rX

But when I check "mail.unseen.is" on https://www.isitdownrightnow.com/mail.unseen.is.html, they say it's up for them.
I can't access email by client or webmail (Firefox) & I've found a few scattered posts asking same questions.
I doubt just changing Tb settings to "mail.unseen.tw" would ever work. I'm guessing it'd take setting up a new acct & they're not allowing new POP / IMAP accts.
Oddly, when I ping mail.unseen.is, it responds but with "mail.unseen.tw" extension.

So peoples "Lifetime email / chat / calling accts" they paid were good for a few yrs.
Some articles (some by upper level co. employees ) advised users to change security method to STARTTLS, which I believe carries some risks.
I tried that temporarily & Tb didn't give warning about wrong name on certificate, but it also didn't D/L new mail.

This is the certificate - accessible from the Tb popup about "wrong name" on certificate. I checked the certificate on a site some person suggested (forgot name). In general, it found almost all valid, but at the end of report, it said "it wasn't trusted because it wasn't signed by a ...." (forgot wording)
https://imgur.com/a/RqtNXZK

[tanstaafl]

When I go to https://mail.unseen.is using a Vivaldi (its based on Chrome) browser I get:

Your connection is not private
Attackers might be trying to steal your information from mail.unseen.is (for example, passwords, messages, or credit cards). Learn more
NET::ERR_CERT_COMMON_NAME_INVALID

See https://www.reddit.com/r/emailprivacy/c ... _unseenis/

[phkhgh]

Thanks. Yes, that's what I meant. I saw the reddit link & the very few other posts specifically about Unseen email provider. There were plenty of complaints for several email providers - not able to D/L from their mail provider after Tb 78 update.
Before I forget, on the Tb or Fx "Add Security Exception" popup, what is the button "Get Certificate", right above the "View" button? The View button shows the site's certificate, Would Get Certificate load the site's certificate into Tb or Fx? I tried "Confirm Security Exception" & uncheck "Permanently Store," but still didn't D/L any mail.

Some replies about email not working after Tb 78 (for several providers) said one reason could be that Tb 78 discontinued support for older TLS.
Doesn't seem to be an Unseen issue, IF you enter URLs using *.TW at the end instead of *.IS. On mail.unseen.tw, Site Info > Security, showed it was using TLS 1.3.

https://support.mozilla.org/en-US/kb/thunderbird-78-faq

Thunderbird 78 will not connect to servers that do not support the modern (over ten years old) TLS 1.2 connection security protocol. If your email provider only supports the outdated security protocols TLS 1.0 or TLS 1.1, then downloading (receiving) and sending emails will not work.

For MY issue, the main reason Tb warning gives - especially clicking "Advanced" in the popup, is the "WRONG NAME" on the certificate.
Tbird is trying to connect "mail.unseen.is" (the correct POP / IMAP server name until recently) while Tb shows their cert has mx01.unseen.tw for POP / IMAP addresses . Of course it's not going to connect.

The BURNING question in inquiring minds (well, mine) is what can I do about it w/o taking a real security risk. I have little doubt that the provider changed the URLs to .TW country code, but don't know why.
** I already tried creating a new Tb acct, using a recently good Unseen acct, but changing the country code to .TW, and using last good PW when the acct used country code *.IS

That stopped Tb from showing security warning, but it didn't connect to their server. It was a LOOOONG shot. Quite possible I'd have to create a new acct ON their site using *.TW, but I'm almost positive they're not allowing new "traditional" email accts. So much for their "Lifetime Accounts" so many users bought.
At https://mail.unseen.tw/ I get a normal Zimbra login page, which has an "English" icon & Mandarin? writing at top. When I enter an address & try to get a PW reset (never works), the Asian text starts flashing, like it's mad someone dared enter an English address, when the English text option was checked.

Since I & apparently any other posts I've found - anywhere- can't get in contact w/ support, we're left playing detective.

The main answer(s) I need, is about bypassing the warning - "confirming security exception."
Clearly, Unseen (the site) has changed almost all pages URLs from using the .is country code to .tw. No idea why. But most text on pages listing URLs still show *.unseen.IS. They never sent any notice in the last yr, saying paid premium accts would be ended along with free ones.

Even when I UNcheck the box, "Permanently store this [security] exception," (to test it) Tb tries to connect, but I don't think it will, because the account names on their servers were created as "DentalFlossTycoon@unseen.IS", NOT *.TW. Good way to get out of honoring lifetime (anything). Just change your "address" & ignore.

[tanstaafl]

You can change the account settings to use the new mail server name (which will probably make it change the local directory for the account, which you will have to reconfigure to use the old value) and create a security exception to make it ignore the bad certificate. But it seems you're just setting yourself up for future grief if you do that. And given their questionable business practices I'd worry about the privacy of my email. My advice is to walk away and choose a better email provider.

I've got several free email accounts but have paid for a account with fastmail.com for a very long time (I'm on a legacy plan and have also taken advantage of their multi-year renewal discounts). polarismail.com , inbox.lv and migadu.com would be on my short list to investigate if I decided to switch email providers. That's based on my needs, yours might be different.

"Some articles (some by upper level co. employees ) advised users to change security method to STARTTLS, which I believe carries some risks."

The main risk is whether your email client will return a error if its unable to upgrade the connection to a secure one. I've verified beforehand that Thunderbird would report that error, but its prone to regression errors. So its possible a year later you might find that you'd been using a insecure connection without your knowing it.

[phkhgh]

Thanks. I never replied to thank you for suggestions.
I've about come to the same conclusion as you. For email that may contain some personal info, paying a small monthly fee to a provider w/ good reputation is probably worth it.

Of course, you can always encrypt the email (and get on NSA watch list), but getting your contacts to use encryption is hard to do, even when containing some private info.

I had not heard of inbox.lv and migadu.com. Is the "lv" for Latvia, the religion / church from that country that George Costanza was going to join to get close to a female member of the same?

I've read many comments & had people comment to me that they'd used Proton mail for a long time & were satisfied with the service & the Privacy / TOS policies.

[tanstaafl]

Yes, inbox.lv is based in Latvia. Supposedly it has 430,000 unique users per day. inbox.eu (also in latvia) is run by the same company. In hindsight I should have mentioned it instead. http://emaildiscussions.com/showthread.php?t=76058

One potential problem with ProtonMail is its essentially a closed eco-system if you want to send secure messages from their webmail. If you use your account to send a message to somebody who doesn't have an account they have to click on a link to view the message in browser, using a passphrase you had to give them beforehand. You'd also have to install their imap/smtp bridge to use ProtonMail with Thunderbird.

https://posteo.de/en has a good reputation for security and privacy. The main reason they're not on my short list is if they decide a message is spam its never accepted and the sender is notified its not delivered. i.e. They don't support the idea of a spam or junk folder. I could live with that if there was some way to whitelist certain senders.

I don't know why https://www.privacytools.io/providers/email/ doesn't list MailFence or Private-Mail.

If you decide to use ProtonMail please post someday what you like/dislike about it, and how well the bridge works.

[phkhgh]

Thanks for the extra details. After you mentioned inbox.lv and migadu.com, I remembered I'd saved some "reviews" about several email providers.
I had the info that Proton made you use their app, "Bridge," to access mail w/o using webmail, but had forgotten. I don't know if that's totally a good or bad thing, since I don't know Bridge functions or if it sends / collects info that any other provider could get, using a client like Tbird. Or if they'd even disclose what (all) Bridge does or doesn't do. Have to research that more.

I've seen other providers that used apps for non-webmail use, but other than enabling encryption (one function), I've never found a detailed description for any of them - what info they collect or send, beyond bare necessities to send / receive mail.

You mentioned Fastmail. Also had some details (below) someone collected - wondered if you knew if especially 1 or 2 were correct.
I have NOT studied Fastmail's Privacy or TOS policies. Some policies (email or any business) are so broad & general language as to be almost worthless to determine any legally binding description of certain practices.

FastMail

If you register to use, or use, one of our websites or services [...] personal information that may be collected directly from you includes name, billing address, mobile phone number, organization name, your own domain name, IPa, browser user-agent and billing details. [how did you pay? is anonymous payment possible ? Money order, bit coin.]

We process mail sent and received from your account to block spam and fraud ??.

We also store information from your address book, calendar, notes and files on our servers. [You could not store data in those].

We also collect the email content you create, upload, or receive from others.

Each time you connect to our service, we log your IP address, your client identifier (browser or mail client information) and your username. If you send mail, we also log the email address you're using to send mail and the email address you're sending to.

If you take action on mail in your mailbox, we also log the activities taken.

[Question]: are they talking about address book, calendar, notes - that are part of their webmail software (not your email client)? If so, it sort of depends on what they mean by "store information."
If so, and you use webmail, of course they "store" that info, or else nothing would be saved. I have no info on what they do with, or how long they store the mentioned data, other than save it for you.
If any provider doesn't put specific details in writing on exactly what they do with specific info, or exactly how long they store it, then the sky's the limit, unless their country forces certain practices.

Some providers may record addresses you send mail to, but only save the logs for 1 or 2 days, until the message is delivered or bounced back. Some don't include your IPa in sent messages.

Some users said they liked Runbox (in Norway). It's obvious that Norway has very structured & specific rules about private data, but I don't know that it's "users' privacy centered."
It's one of the most structured & detailed privacy policy I've ever seen, for any business.

[https://proprivacy.com/email/review/runbox (a review site) says Runbox requires REAL NAME]. Would you give them your real name? I don't think I would, nor my home address or phone #, just to an email provider. Never have to a Net site / business that doesn't really need it, in over 25 yrs. Not even to PayPal for acct name.

Though Runbox's PP states, "you may access and update this information at any time in the “Account” section in the Service."
What, change your "real name?" Doesn't make sense. I'll have to ask the people that used it, if they used a payment method that didn't require your legal name.

But Runbox's Privacy Policy, 2020-01-01, says, "None of the data collected through the [Runbox] Service is sensitive by the definition of the law, and therefore not subject to notification to the DPA (Norwegian Data Protection Agency) .
Apparently they don't consider your full name as sensitive data (on the internet).

Re: posteo.de I don't think I could use for a main provider, one with no spam folder & just deletes msgs. I've never heard of that practice until you mentioned Posteo.

[tanstaafl]

That's a legal blurb basically saying that anything you store in Fastmail's system they have access to. The address book and calendar they're talking about is webmail based contacts and calendar but if you use their CardDAV or CalDAV service to store remote address books and remote calendars they have access to it too. Elsewhere they make it clear that they don't sell your data and don't share it except as needed to perform requested operations (such as process a credit card payment).

Fastmail accepts several credit cards and Paypal. https://www.fastmail.help/hc/en-us/arti ... 4-Payments

I'm used to anonymous payment options being more of an issue for vpns (such as Mulvad) than email providers. There are email companies such as https://countermail.com/?p=privacy that claim 14 days after your payment they remove most sensitive information and only store the data that is needed for the accounting, such as the product you bought, the amount, the payment method, the date and the country.

I don't have problems providing my real name to a email provider. I provide my real name for my gmail account, but not my phone number and assume anything that relies upon googles services is risky.

I've read articles such as https://restoreprivacy.com/email/secure/ , https://www.privacytools.io/providers/email/ and https://www.guru99.com/secure-email-ser ... vider.html but IMHO there is a big difference between security, privacy and anonymity. I think you're blurring the boundaries too. I assume that if a government wants to access my email/data they will find a way (regardless of what the laws say and what country my email is hosted in) and don't worry about it. Its large corporations (and to a lesser degree, criminals) that I worry about.

https://xkcd.com/538/

Since you mentioned Runbox Fastmail supports Sieve, a email filtering language. Runbox, Tuffmail.com and Mailbox.org do too, though not as many extensions.
https://www.fastmail.help/hc/en-us/arti ... ve-scripts

Both Fastmail and Runbox have unofficial forums at https://www.emaildiscussions.com . That web site also has a "Email Comments, Questions and Miscellaneous" forum where they discuss the merits of various email providers, privacy issues etc. You might want to create a thread there asking for suggestions. They're pretty friendly.