Configuring Certificate Pinning with Thunderbird

User Help for Mozilla Thunderbird
Post Reply
Zine2013
Posts: 9
Joined: March 31st, 2013, 10:46 am

Configuring Certificate Pinning with Thunderbird

Post by Zine2013 »

On Firefox, there is the awesome “Certificate Patrol” add-on (https://addons.mozilla.org/en-us/firefo ... te-patrol/) which can be used for certificate pinning. But as of now, the extension (version 2.0.14) is not usable with Thunderbird. It installs and uninstalls without problems, but shows no reaction on e-mail server connections via SSL/TLS. It probably would work if Thunderbird was used to browse web pages, which I don't do on principle, though – I use a securely configured Firefox to do that.

But never mind, as there is a way to use certificate pinning with Thunderbird (for e-mails, updates, etc.) without any extension, as, unlike with Firefox, only a limited number of servers are connected to by Thunderbird. This is how it can be done:

1. In the “Certificate Manager”, prohibit all root authorities, i.e.: select the “Certification Authorities” tab, mark all (mark first, hold the shift key and press arrow down until all marked). Click on the “Edit trust” button (as the “Delete...” button won't work for all) and disable all checked boxes, for each authority. (It's a lot of clicking, which sucks as there is no way of doing it for all at once.) If you later wanted to revert to original configuration, it can easily be done by closing Thunderbird, deleting the cert8.db file in your TB profile and restarting TB – the file will be re-created with default configuration. See https://wiki.mozilla.org/CA:UserCertDB# ... e_Settings for info.

2. Let TB connect to your IMAP/POP3 (and later the sending server) – TB will show an invalid certificate warning (as there are no root authorities to verify it). Accept that certificate and you are done. Now, in the “Server” tab of the “Certificate Manager” you'll see your configured certificate and server, such as e.g. “imap.gmx.net:433”. (Other servers in that tab are the ones disabled by Mozilla, no need to configure anything there.) You'd also get the warning when the cert gets replaced, which you should not accept, of course. (Hint: Check under “Server” first if the old cert is e.g. about to expire, or was released by the same authority as the new, so that your mail server just uses several certs. Or you might be an unlucky customer of a service using several completely unrelated certs. Or the cert was replaced by an MITM.)

3 Add Mozilla update servers as well: Search for and run updates of TB and used add-ons. While doing that, check for certificate errors in the Error Console of TB and add exceptions for the respective servers to the “Certificate Manager”. (Click the “Add exception...” button, enter the server, click “Download certificate” and add a permanent exception.) That should be following servers (as of TB version 17.0.5):
aus3.mozilla.org:443 (used for search for updates for TB)
versioncheck.addons.mozilla.org:443 (used for search for updates for add-ons)
addons.mozilla.org:443 (used for download of details to found add-on updates, if one clicks on “show details” (or so) to the respective found update)
addons.cdn.mozilla.net:443 (used for download of add-on updates)
possibly another server used for download of TB updates (can be checked in about:config) – I can't tell, as I don't use the user (i.e. non-admin) account, on which I configured the cert pinning, to download and install updates. And I disabled the use and the service of the Mozilla Maintenance Service for security reasons.

Note: If you use RSS/Atom feeds over HTTPS, you might need to add respective servers too. I don't, so I don't know if TB will show a cert warning window as with e-mail servers, or just log an error in the Error Console as with the update servers. But it should be one of those, so that either point 2 or point 3 above applies.

Hint to Firefox: It would also be useful to pin the same Mozilla servers as in point 3 above in Firefox as well. As the “Certificate Patrol” add-on does not “patrol” them.

Hint to importance of certificate pinning in general and pinning of (Mozilla) update servers especially: If you are not sure if that is important, notice the already existing blocked (by Mozilla) certificates for “addon.mozilla.org”, “mail.google.com” and others in the “Server” tab of the Certificate Manager of Thunderbird and Firefox. And that are just the ones which have come out into the light. And see here: http://www.economist.com/blogs/babbage/ ... security-0 (but you probably have already known that, dear fellow traveler). As has been widely publicized, the CA system is broken. And I see certificate pinning on the client side an easy fix to that – no need to use or trust any third-party voucher, nor waste time, bandwidth or give up privacy asking the voucher for cert validity. And self-signed and/or expired certs work just as well (so, no need to pay anyone for a cert if you have a server either). Only little manual research is needed when a cert changes (e.g. legitimately), or on a first-time access to (i.e. cert pinning of) a site whose connection security is critical to you: check what cert you see using a proxy – e.g. on https://www.ssllabs.com/ssltest/index.html (or others) or TOR browser, via VPN, etc.

Hope this helps.

P.S.: A principle similar to the certificate pinning is the “public key pinning” - see e.g. http://ssl.entrust.net/blog/?p=1752 – where not the whole certificate, but only its public key is pinned.
User avatar
LoudNoise
New Member
Posts: 39900
Joined: October 18th, 2007, 1:45 pm
Location: Next door to the west

Re: Configuring Certificate Pinning with Thunderbird

Post by LoudNoise »

Moving to Thunderbird Support
Post wrangler
"Choose between the Food Select Feature or other Functions. If no food or function is chosen, Toast is the default."
Zine2013
Posts: 9
Joined: March 31st, 2013, 10:46 am

Re: Configuring Certificate Pinning with Thunderbird

Post by Zine2013 »

Hint to Firefox: It would also be useful to pin the same Mozilla servers as in point 3 above in Firefox as well. As the “Certificate Patrol” add-on does not “patrol” them.

Correction to the "Hint to Firefox": I added that before testing. Now, after testing, it doesn't seem to work if one continues using built-in Mozilla CAs in Firefox: One can't add exceptions to valid certificates. One could work around that by temporarily disabling responsible Root CAs, adding the exceptions and re-enabling the CAs, but I'm not sure that would pin the cert to the server. I assume that Firefox would accept any other valid cert coming along for those servers as well, as it won't see any cert problem.

Before I try MITMing myself, dear support, what do you think? Would a server exception with all built-in CAs left at default result in a pinned cert, or would Firefox just silently accept another valid certificate for that server?

(And it seems too big of a hassle to disable all built-in CAs as in Thunderbird, and then having to actively add an exception for every cert on the planet, as currently needed with FF when it shows a (as e.g. on a self-signed cert) warning page. As I don't see any about:config parameter to disable that certificate checking FF behavior, to just let "Certificate Patrol" do the job. But then, FF would probably also accept any cert for the update servers as well.)
Last edited by Zine2013 on April 18th, 2013, 12:09 pm, edited 1 time in total.
Zine2013
Posts: 9
Joined: March 31st, 2013, 10:46 am

Re: Configuring Certificate Pinning with Thunderbird

Post by Zine2013 »

... But then, FF would probably also accept any cert for the update servers as well.)

I meant because "Certificate Patrol" doesn't "patrol" the update servers.

Would a server exception with all built-in CAs left at default result in a pinned cert, or would Firefox just silently accept another valid certificate for that server?

I'm able to anwer that myself: It would just silently accept another valid cert. A pity. (I was able to see that, having had an exception configured for a website server whose cert was outdated (they didn't want to pay the for a renewal) and then was replaced by a new valid one. Firefox itself just silently accepted the new cert, even though an exception had the old cert configured for that server. I think the same applies to update servers as well, as in TB they are handled similarty to the mail servers with respect to server cert exceptions.)
Post Reply