Page 1 of 1

Security risks to keep using FossaMail

Posted: 2017-04-26, 19:50
by Lebowsky
I've been using FossaMail on my work laptop for over a year and I was rather disappointed to see its development stopped. OTOH, it is is not as if I had offered to take over its development, so I fully respect the decision of course.

My question: what are the actual security risks to keeping using FossaMail? I use only one account in IMAP, from my institution (which is a school), with SSL/TLS. I don't really understand what the risks are? Except maybe if new security standards are applied, and FossaMail becomes obsolete? I am still using the same thunderbird 2 on my private computer so I guess I am more vulnerable there :)

So, can my mail be read by third party or not? :)

Thanks for the clarifications. Don't hesitate to make the answer(s) idiot-proof...

Re: Security risks to keep using FossaMail

Posted: 2017-04-26, 22:55
by Moonchild
The risks of using an outdated version of FossaMail or most other mail clients are much smaller than the risks of using an outdated version of a web browser. The main reason for this is that mail clients generally aren't exposed to foreign scripts (javascript in html-formatted e-mail isn't run, unlike what a web browser must do).
The security risks are not nonexistent though -- things like compression libraries, image libraries/decoders, HTML-mail rendering engines, or even the client code itself, etc. can have vulnerabilities that can be exploited in mail clients by sending you a specially-crafted e-mail. Thankfully, that doesn't happen very often, but running ancient versions is still dangerous.

Outdated encryption for connections to mail servers can also be a risk, but in that respect with FossaMail you should be good since it's unlikely that the crypto it supports for TLS connections will be broken any time soon. It's actually more likely that mail servers support weaker encryption in that case.
So no, if you connect directly to your institute's mail server over TLS, third parties can't read your mail.

I would recommend that you stop using Thunderbird 2 though. There are known exploitable vulnerabilities in it (e.g. the image libraries used have known (severe) flaws that can cause a bad image to crash it and execute malicious code on your system).

Re: Security risks to keep using FossaMail

Posted: 2017-04-27, 16:43
by Lebowsky
thank you!

I should add that I think, even though you want the development stopped, I (and proabably a lot of other people as well) would find it useful to keep the build available for whoever wants to use it anyway (at their own risk), if not only for historical/archival purpose. (but maybe it's just the historian in me)

Thanks for all your work, I'll keep using Pale Moon too :)