I wonder how I can be surprised to learn that #Mozilla's #Thunderbird collect telemetry infos (including your mail domain) and share them with partners such as #Amazon.
It's obvious they spy on your mails! 🤦♂️
Indeed, in case of crash, they even send to "their" #AWS servers a memory dump that contains sensitive data crash reports.
This likely include, your emails in clear, your private encryption keys¹ and everything else the program has loaded and kept in memory.
What does this means for an hypothetical attacker that can access such reports?
I mean... like a #USA agency arguing that you might be a terrorist or something.
Oh but sure... they shall do no evil...
https://www.mozilla.org/en-US/privacy/thunderbird/
#Privacy #Freedom #hypocrisy #Security #infosec
_____
1) Since version 68, Thunderbird does not use the #GPG suite via #Enigmail, but directly do encryption "to avoid licensing issues" 🤷♂️
@rysiek@mastodon.technology @mala
@Shamar @rysiek@mastodon.technology @mala A couple points... 1) When you actually read their policy it's not all that shocking. I would agree it's annoying that telemetry is on by default but you can opt out if you like. 2) Literally any communication that isn't end-to-end encrypted can be intercepted by any third party, not just the company that made your email client
No, indeed I surprised myself by being surprised by #Mozilla's bad faith.
I mean: ok, #Firefox is a surveillance tool marketed as a privacy friendly browser, but it's a "just" a browser.
But I was STILL thinking that good old #Thunderbird (that I do not use since decades but still suggested to others) was safe!
It's not.
#Telemetry is not just on by default and all data are received by #Mozilla through #AWS servers.
I really think such kind of defaults should be forbidden by law. And in fact they are forbidden by #GDPR as all data collection must be opt-in not opt-out.
Curiously, crash reports are disabled by default (as far as I can read online) so at least people are less likely to send them cryptographic keys in clear in a memory dump.
But the fun fact is that if you enable crash reports in the hope to let them improve a privacy friendly MUA, you sacrify your security (and your peer's security, exposing them to social engineering) to improve a surveillance software.
Indeed Thurderbird is sending back your interactions activities, so the fact that mails sent without #E2EE can be intercepted, is totally irrelevant.
@rysiek@mastodon.technology @mala
