0

In Thunderbird (a popular open source email client), there is an extension store similar to Mozilla Firefox which adds further functionality to the client. Mozilla has an article detailing the security and safety of Firefox extensions (see Tips for assessing the safety of an extension). They state:

When a developer submits an extension to addons.mozilla.org, it’s scanned for a set of common issues. It may also be subject to human review. But neither of these processes guarantee that an extension is absolutely 100% safe. With permissions messages, you can see what data and features an extension wants to access, so you can make more informed choices about the software you’re considering.

I understand that no application or extension can be 100% safe. Everything on the internet poses a risk. I am curious if Thunderbird add-ons goes through a similar vetting process. In addition, I notice most Thunderbird extensions don't make proper use of permissions.

I found a website stating:

When a developer submits an extension to addons.mozilla.org, it’s scanned for a set of common issues. It may also be subject to human review. But neither of these processes guarantee that an extension is absolutely 100% safe.

However Thunderbird has been transferred to a subsidiary of Mozilla. Take a look at Wikipedia, which states:

On January 28, 2020, the Mozilla Foundation announced that the project would henceforth be operating from a new wholly owned subsidiary, MZLA Technologies Corporation, in order to explore offering products and services that were not previously possible and to collect revenue through partnerships and non-charitable donations.

In addition, the Thunderbird extension support page does not mentioned security at all. I find this odd as for most people, security when it comes to email is a high priority. Email after all is usually the primary method of logging into most websites.

For myself, the way I have judged most extension's security is by their Github activity, reviews / number of downloads from the Thunderbird Extension page, and finally longevity of the extension. This becomes difficult however as some extensions are maintained by one person. Take for instance the Signature Switch add-on. I find this functionality absolutely vital as I have more than one signature for emails.

What are people's thoughts on potential risks? How likely are these plugins malicious? Thunderbird is my favourite email client however its quite limited without the further functionality provided by third party extensions.

Harrison G
  • 67
  • 6
  • 1
    The new Thunderbird development team has done some things I consider very insecure. Chief among this is storing PGP private key access passwords on the disk for automated decryptions. I switched over to **Interlink**, a Thunderbird fork: https://binaryoutcast.com/projects/interlink/ – user10216038 Aug 27 '21 at 03:57
  • I don't think this can be answered. A lot of it boils down to trust and risk tolerance, and how much effort you are willing to put into auditing a plugin. – multithr3at3d Aug 28 '21 at 13:15
  • Regarding *Signature Switch add-on*. I note on the link you provided: ***"Unfortunately with Thunderbird 91 sending e-mails does not work any longer as long as the plugin is active. :("***. *Account Settings* allows loading a signature from a file instead of a static setting. It would be trivial code to simply copy from a list of signature files. – user10216038 Aug 28 '21 at 16:37

0 Answers0