Thunderbird/Security

From MozillaWiki
Jump to: navigation, search

Introduction

Thunderbird cares very strongly about the security and privacy of its users. To this end, there are various security-related activities maintained by the community that this page attempts to document.

There are two main aspects to security-related work:

  1. Security Engineering
    1. Designing Thunderbird to prevent vulnerabilities.
    2. Analyzing risk (and then mitigating it) by performing threat analysis and risk assessment.
    3. Finding vulnerabilities in Thunderbird.
    4. Vulnerability management and incident response activities.
  2. Security Software Engineering
    1. Maintaining/building security-related code (the Security component)
    2. Including strong security standards and technologies when appropriate.
    3. Building/researching new security-related features to improve the security of our users.

Security Engineering

Security engineering is a sub-discipline in the engineering space which focuses on designing systems which are robust to malicious actors or unintended effects. The most notable academic book describing this field was created by Ross Anderson and is available here: Security Engineering Book

There are security-specific activities that should occur during all parts of a product's development life-cycle including:

  1. Design - Designs should be analyzed from an "attacker's mindset" and threat analysis and risk assessment should be performed to determine the risk of such a design. The result may inform additional countermeasures to prevent issues down the road.
  2. Development - Security needs to be considered during development. This means educating developers, requiring code review, and integrating security into the entire development process via automated tools.
  3. Testing - Penetration testing are arguably the most popular security activity. In these activities internal or external parties try to find vulnerabilities in the source and will report them responsibly.
  4. Release - Monitoring should be done to find new vulnerabilities in the field. Vulnerability disclosure programs should exist to provide external researchers a way to report issues. Most importantly, security issues found must be analyzed and fixed in a reasonable amount of time.

Security Software Engineering

Security software engineering refers to software engineering related to security, rather than the security engineering discipline itself. This section describes various activities in that area:

Security Component

Issues and suggestions relating to the security-feature aspects of Thunderbird can be found on Bugzilla here: Bugzilla Security Component Page

The trend of open bugs in the security component can be found here: Bugzilla Charts Link

Trend of open security issues from Jan 2012 to June 2018

Security Features

This section lists various security features Thunderbird has implemented or is in the progress of implementing/improving.

Phishing Detection

Email phishing is a very common attack method and has proven to be very effective. Although elaborate technologies exist to protect users in many ways (encryption protocols to provide privacy, authentication methods to provide integrity, etc.), it is very hard to protect against the human agent. Around a 100,000 phishing emails are reported to the APWG (Anti-Phishing Working Group) each *month*.

Phishing Email Reports per Month (source: APWG H1 2017 Phishing Activity Trends Report)

Thankfully, Thunderbird does provide phishing (sometimes called "scam") detection. You can read more about this here: Thunderbird’s Scam Detection

The current implementation uses a series of fairly simple rules. It is an ongoing initiative to improve this detection.

Some bugs which track work in this area can be found below:

  • Bug 654502 - Main tracking bug for scam/phishing improvements.
  • Bug 1249562 - Mark emails with forms containing "action" URL as scams. (Fixed)
  • Bug 320351 - Learn what is not a scam (locally)
  • Bug 623198 - Proposal to disable scam detection by default

Academic Research in the Anti-Phishing Space