The list of additions, changes and fixes look impressive! But I’m still worried about Thunderbird’s future and the planned rewrite. It’s a tough position to be in, (as if) attached at the hip to Firefox and to deal with the obsolescence of XUL extensions and other things that come part and parcel of using a good amount of code from Firefox.
I still believe it was a poor decision by Mozilla to cut off Thunderbird and float it as a community supported project. It now seems partially blessed by Mozilla, but isn’t how it was before that separation (AFAIK). The main thing I’ve felt as a huge missed opportunity with Thunderbird has been the lack of native Exchange calendar integration (no, none of the extensions, past and present, are close to even the experience of using Outlook web access for this purpose).
I’ll continue using Thunderbird for at least a few more years and will support the project financially, but I feel Outlook web access is slowly chipping away the need to use a desktop client in enterprise environments that are tied to Exchange or Office/Outlook 365.
If you are on verions<52, just know that this update won't be shown on the "About Thunderbird" page that checks for updates.
I was just in the same situation, and simply downloaded the installer from their main webpage [1] (after backing up my data in my profiles folder[2] and closing any running instances of Thunderbird), and it simply worked! I have to say, at least on Windows, the update looks much better, feels quite refreshing! Almost makes me want to actually check all the new emails :)
Yeah, unfortunately I don't have Linux (only WSL but I doubt that would really compare since I don't use the GUI environments avilable), so I don't know whether upgrading like this will be safe. I'd personally wait until they the repository developers bring it in, since there's no guarantee of what might happen.
https://mail.mozilla.org/pipermail/tb-planning/2018-May/0060... says "Manual updates of 60.0 will be the initial update mode, as we often
do for a new release, because of the breadth of fixes and improvements. Manual-only updates (and updates via downloads) allows us to do a slow
rollout to users, to get more user feedback than is possible during the beta period. Automatic updates will be enabled when we are satisfied
that we have sufficient numbers of users and a sufficient level of quality - a process that typically takes some weeks."
>Thunderbird version 60 is currently only offered as direct download from thunderbird.net and not as upgrade from Thunderbird version 52 or earlier.
Anyone have any idea about this affects Linux? I am using Mint, and in the past the suggestion has always been "update through your repository" not with a download...
Sure, that is par for the course... normally. But I've never been told. "Don't upgrade from version X to version Y" before, which is why I am asking if I need to do something different this time. (ie, not wait for distro update, because none will be coming...??)
Something overlooked, but which I have a lot of respect for is properly incrementing version numbers. It's rare to see semantic versioning properly work. Good job TB team.
I hope this will finally fix the "XML Parsing Error: Undefined entity"-bug that's been present for nearly a year now. Last I heard RedHat and the Thunderbird team were still bickering over whose bug it was or whether it was a packaging issue. It doesn't seem to be listed in the changelog, so I guess I shouldn't hold my breath.
Sweet, although IIRC several of the email providers with 2FA (Gmail and Outlook come to mind) have the option of providing app-passwords instead, which bypass the need for a 2FA token.
Just so you know, an app password downgrades the security of your 2FA+Password pairing, and I never use app paswords because of that. If it was somehow possible to intercept the password used in the IMAP handshake, then that means access to your inbox without 2FA. This is why I am a huge fan of web-based clients and not things like Thunderbird.
> This is why I am a huge fan of web-based clients and not things like Thunderbird.
A false dichotomy. 2FA login is achieved through "web login", where an authentication token is obtained by presenting the service's 2FA interface in a web frame or a simple web browser. See e.g. the initial setup flow in Android 4.x - the Google login and password are a regular form, but if 2FA is enabled, you're shown a web browser.
Whether clients like Thunderbird implement web login remains a quality of implementation issue...
IMAP authentication is done within SSL, so you'd have to start with an SSL MITM to be able to access the password login anyways. If you're scared about people having access to that, there are quite a few password authentication schemes baked into IMAP that don't leak your password over the network (SCRAM-SHA-256, anybody?). That said, all IMAP servers in practice implement only plaintext auth, or maybe NTLM and Kerberos.
Or a brute-force attack guesses your app password.
One of the major benefits of TOTP is that you have only a certain time window (usually, 30 seconds) to guess a password before the thing you're trying to guess changes and you have to start over.
With HOTP, you only get one guess before the goalposts move. The downside is that it's more vulnerable to DoS attacks when configured that way.
An app password has no brute-force resistance, so it lowers the security of your otherwise-2FA account overall.
> One of the major benefits of TOTP is that you have only a certain time window (usually, 30 seconds) to guess a password before the thing you're trying to guess changes and you have to start over.
This is, again, wrong. Guessing a 6-digit number will take, on average, 500,000 tries; if the answer changes with each guess, it will take only twice as much (same as when picking random guesses instead of iterating through all possibilities in order).
In fact, you might as well try "000,000" over and over every said 30 seconds, and your guess will eventually be correct after about the above-mentioned 500,000 tries.
I don't think you've understood what has to be guessed. It's not the OTP alone; it's the OTP and the password, together.
If the OTP "000000" is correct with 50% probability after 500,000 attempts, you've just increased the number of attacks necessary to brute-force a password against a live server by (conservatively) 50,000,000%.
If you are attempting a brute force attack against a particular password, you either need to know a single OTP and complete the attack before it changes ("the goalposts move"), or try every password with every possible OTP, or compromise the OTP secret.
In order to gain access to this system, you must supply:
- A username
- The corresponding password
- A TOTP code valid for the time you make the attempt
If any piece of information you give the server is wrong, you get an "auth failed" message which reveals nothing about which part(s) you got wrong. It is an oracle which answers only "yes" or "no".
Assuming you can guess (ask the oracle) once per second, that there are 52^8 possible passwords and 10^6 possible OTPs, and that every thirty seconds the valid OTP shifts to a new totally random value within the valid range, estimate the number of guesses necessary to find (with 50% probability) the correct combination of information. Now repeat the exercise, with the changed situational parameter that you no longer need to supply a correct TOTP.
I think you will find that the estimated time to crack is increased by much, much, much more than a factor of two by having the OTP. I would be interested to see any alternate answer and the reasoning behind the same.
Assuming the attacker has neither the password nor the OTP seed and must brute-force both (which is what 2FA is all about), the OTP doesn't add more security than the bits it has (about 20 for a 6-digit decimal number), plus the 1 bit because it's not constant. For this reason, I think it's misleading to say that there are moving goalposts or such. Neither the entire attack nor any part of it must be completed within 30 seconds or whatever the refresh interval is of the OTP token. Cracking both is still a classic brute-force attack.
I could've sworn you had some granular level of control as far as what the apps are allowed to do when they access your Gmail account, e.g. Reading emails only versus read/reply/compose, etc. Maybe I'm thinking of OAuth.
For some reason I also thought there was some way of tying the app's identity to the password, such that if an app other than Thunderbird tried to use my Gmail Thunderbird-app password, Gmail would block it. But I'm probably wrong on that point.
I downloaded this while it was in beta to see whether they'd fixed the scaling issues with mixed DPI setups in XWayland, or better yet, moved to native Wayland. Alas, this is not the case.
Thunderbird is a great email client but I don't trust it when it comes to calendars and contacts.
Syncing with CalDAV/CardDAV or Google Calendar/Contacts has always been problematic and apparently this is the very first version where you can edit single entries of an recurring calendar event. This does not help in building confidence in Thunderbird as a PIM.
Yep, same experience. I use Thunderbird for many years, and tried to migrate my calendar workflow to it many times, and it just does not work. I really like it as an email client, and I'd like to use it as scheduling tool too, but currently it's way too clunky to be of any practical use. Sync issues, UI issues, all kinds of issues. Hopefully they'd get their act together sometime.
I was hoping that Thunderbird would become a unified desktop equivalent of Mail/Calendar/ToDo of the apps we have on the mobile that can handle all the major providers (exchange, gmail, icloud, yahoo, pop, imap, etc...).
But it doesn't support a good chunk of these, which makes it difficult to adopt in my life.
I'm hoping that addons will spring up due to the renewed development efforts. As it is, I'm just using Nextcloud (Calendar & Contacts) alongside Rainloop for mail.
Looks good but not seeing too many performance improvements unfortunately.
Which is a shame, I much prefer Thunderbird to Kmail UI wise, but when processing thousands of messages (deleting, moving, filtering, etc) it slows to a crawl then freezes. Kmail stays responsive.
This on 16 core 32 GB machine. But it doesn't look like the cores are used very effectively by TB as opposed to Kmail.
For normal usage though it's great. Maybe the next release will focus on performance optimization, in particular multicore.
I currently have Thunderbird installed from apt but pinned to an ancient version that allows Lightning (the calendar tool) to work. (Newer versions broke Lightning on Linux, although I can't recall the failure mode.) Maybe I'll try out Thunderbird 60 on my work computer to see if it works better now...
It's funny, I actually only use Thunderbird for its calendar these days, not for email.
Has anyone had trouble accessing gmail from thunderbird in the last few weeks? Both my work and personal accounts have been intermittently syncing and I have no idea if this is a thunderbird problem or something i have to change in my gmail settings.
Anybody know if the line-wrapping has been fixed? In either this version or anything since <checks what I have> 52.9.1? The messed-up line-wrapping and quoting is easily my biggest problem with Thunderbird.
Gee I'm still on version 11. I tried updating once, got a ton of useless crap like calendars and shit and reverted back. Email is one of the few things that I want something very basic and crude.
In addition to the point others made about vulnerabilities, you should know that Thunderbird currently split the calendaring features into an add-on called Lightning that is included but disabled by default. If you don't want a calendar, you won't get a calendar.
Careful. Old versions of internet-facing applications like email clients are dangerous and put you at risk. They often have widely known security issues which can allow malware to access your PC.
I'd advise upgrading Thunderbird and ignoring the features you don't use, or switching to an actively-maintained mail client which is designed to be simpler than Thunderbird.
Seeing comments here of people who want mobile-like or web-like features in Thunderbird, I feel old school, but daaamn, 11? That's 6+ years of piled remote vulnerabilities. Clearly Thunderbird is not to your liking and you should try other clients.
I still believe it was a poor decision by Mozilla to cut off Thunderbird and float it as a community supported project. It now seems partially blessed by Mozilla, but isn’t how it was before that separation (AFAIK). The main thing I’ve felt as a huge missed opportunity with Thunderbird has been the lack of native Exchange calendar integration (no, none of the extensions, past and present, are close to even the experience of using Outlook web access for this purpose).
I’ll continue using Thunderbird for at least a few more years and will support the project financially, but I feel Outlook web access is slowly chipping away the need to use a desktop client in enterprise environments that are tied to Exchange or Office/Outlook 365.