Password security when using Thunderbird [RESOLVED]

[mkblack]

Using Thunderbird 3.1.7 and avast 5.0.677.  My accounts are with Gmail so I have those set to not use secure connections so that avast can make that connection.  I researched how to use the Gmail - Tbird - Avast trinity so I should be good to go there.  Not using Tbird to get my mail *yet* because I have one concern:

When authenticating to the gmail servers I have to set the IMAP Authentication method to "Password, transmitted insecurely" for it work. Same for the SMTP settings *.  My concern is the passing of my login credentials in clear text.  That's not acceptable to me.

Does the secure connection that avast makes cover the transmission of my login creds (sending them through the tunnel and securing them) or do they go out in the clear before the secure connection is established, airing them out for anyone to sniff?

* With the SMTP setting, should I use "No authentication" or "Password, transmitted insecurely" when using Gmail? Same question here: are my login creds covered by avast or are they clear text to the world?

BTW: I really like avast. It's quick enough and doesn't bloat my memory with a dozen different processes, like the Other Guys do.

Thank you!

[Pondus]

avast! 5.x: Some e-mails are not scanned by the Mail Shield
http://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=458



INFO: Gmail have there own mail security, using postini spam/virus filter that is scanning all mail accounts with twin AV engines, McAfee and Authentium

[MAG]

Good question. I'd like to know the answer too.

[Nesivos]

How does avast! 5.x secure web based e-mail services such as Yahoo, Gmail, etc.?

Web based e-mail services such as Yahoo, Gmail etc. usually have their own security options, because e-mails are received and stored on the remote Mail Server and users access their e-mail accounts remotely via their web browser. In other words, web based e-mail services are like any other website, and if you try to save, download or run a suspicious file from a web based e-mail account, it will be detected by the web shield built into avast! 5.x.

As a result you should not expect to see any scan history in the Mail Shield screen if using a web-based email services. If you have any doubts about the security of your web based e-mail service provider, you can alternatively launch your web browser within the avast! Sandbox and then access your web based e-mail account within this secure virtualized environment.

http://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=455#idt_11

Avast came up with this message.

Can anyone explain please.

Avast - has detected a secure connection for your mail program (process
ImApp.exe) to the SMTP server 209.85.229.209 (gmail.com).

This type of connection cannot be checked for viruses. Please disable
SSL/TLS in your mail client so that the Mail Scanner will provide the
SSL/TLS security itself.

http://forum.avast.com/index.php?action=printpage;topic=57172.0

Combining both comments it seems to me that Avast does not transmit your password for Gmail any more than Avast transmits your password for any non-email website.

So when Thunderbird is saying with regard to the Outgoing Server Setting for Gmail

"Password transmitted insecurely----Connection Security - None"

it means in this case that the password would be sent insecurely if it was sent from Thunderbird.   However, the login and password are from at the Website location and not sent by Thunderbird because the Gmail website login is treated as any secure website login is handled; i.e. at the website itself.  As a result Avast handles virus checks like it does on any website.   That is Web Shield rather than Mail Shield is used to check the website.    Avast relies on GMail to check for email viruses that may be attached to email that you receive on Gmail.

Anyway, that is my understanding of how it works.

[mkblack]

I understand that when I'm accessing Gmail via a browser that the mail scan portion of avast is not going to see any hits, but will treat it like any other web page. I also know about turning off SSL/TLS in Tbird and all that so avast can scan the mail. I've got that covered.

I have several Gmail accounts that I use (personal, professional, other) so using Tbird to access them all at once makes more logical sense. My concern is when using Tbird and avast it seems there's an all or nothing kind of philosophy - Tbird uses no secure connections and relies on avast to make that connection, or Tbird establishes the secure connections and avast can't scan my email. This first option means that my login creds are transmitted in clear text, which anyone in the Infosec world will tell you that's a bad idea.

The question I have is will the secure connection that avast creates for Tbird cover my login creds? Are my creds passed in clear text before avast establishes the tunnel, or is the tunnel established then my creds are passed? The first option = bad. Second = good. That's the question.

Should I just use Tbird to make the secure connection and forget about avast being able to scan my email (rely on Google's in house AV as noted by Pondus)?

Thanks for the replies!

[mrk2010]

mkblack, what did you end up doing? I am in a similar situation and am debating whether to turn off SSL/TLS in Thunderbird and let Avast do its thing vs. leaving it on.

[mkblack]

I just turned SSL/TLS back on in Tbird and hope that Gmails AV systems catch anything.

The kicker for me is unencrypted passwords. I don't mind if avast does the SSL so it can scan the email stream... I just don't want my passwords being transmitted in the clear. You gain security in one area (AV) only to lose it in another (clear text passwords) apparently. There's a reason why no one (with any brains) uses telnet and FTP any more.

No one was really able to give me a clear answer on this, BTW.

[sded]

Your password is not transmitted insecurely, except between Thunderbird and Avast! inside your comp-uter. Avast! sets up a secure SSL connection with Gmail and then authenticates with your password over the secure link.  If you let TB encrypt your password, Avast! cannot handle the secure authentication since it doesn't have the key.

[Hermite15]

Your password is not transmitted insecurely, except between Thunderbird and Avast! inside your comp-uter. Avast! sets up a secure SSL connection with Gmail and then authenticates with your password over the secure link.  If you let TB encrypt your password, Avast! cannot handle the secure authentication since it doesn't have the key.

this

[mkblack]

Really?! That's awesome! Thanks for the replies sded and Logos!

[MAG]

Well, I get thunderbird connectivity shown on the FW with SSL disabled, but only during password entry - after that it's all avast. I think I'll reset thunderbird to SSL. Gmail does a virus scan anyway.

(It might be nice if someone from the avast team could comment on this topic.)

[Hermite15]

thunderbird does some http connections (checking for updates)... anyway what sort of connection do you see while entering the password? protocol and port?

ps: I can't check, I don't have AIS currently installed.

[sded]

For those interested in more detail, I have attached a Wireshark log of Thunderbird checking a Gmail account via Avast!.  This is what your firewall actually sees. All of the TCP and cryptographic handshake to set up the secure link is done before any "payload" data is transmitted.  Your user id and password are just application data to  authenticate your gmail account, and really have nothing to do with Cryptography. No application data is transmitted until after the cryptographic handshake is complete.  I have also attached the Wireshark capture log for those who have Wireshark- you can just remove the .log and execute it via Wireshark for a little more detail.
Update:  BTW, the columns are number,time, source IP (192.168.1.18 is my computer), destination IP, destination port (pop3s is 995), protocol, comments.  

[Hermite15]

thanks sded, this does of course confirm if needed that the password is transmitted securely. Nothing would work anyway if the procedure wasn't respected.

[MAG]

Thanks for the info SDED and Logos. I waited for update checks etc to finish before entering password on Thunderbird, and FW only showed TCP listening during password submission - so as far as I am concerned this is RESOLVED (however I'm not the OP).