HowTo: ID and Avoid a TBird Bug, and Rake Your Email Client for Other Vulns

~~   Forward   ~~

All of us use a desktop email client to fetch our email, to respond, and to screen out spam.   When you click a link in an email, it will normally come up in your main web browser and take you to that site.   But there’s a way of crafting a link such that when you’re using Mozilla Thunderbird and click on a link, it opens the website in a Thunderbird tab instead of your default web browser.

Why is this a problem?   Because if you have hardened your browser to any reasonable level of security, all those protections are bypassed when the link is opened in a tab of TBird.   I use Iceweasel/Firefox with modifications from the TorBrowser, which include various configuration changes and addons to enhance security and privacy.   For example, addons I use are TorButton, NoScript, RefControl, HTTPS-Everywhere, RequestPolicy, AdBlock Edge, and Element Hiding Helper.   And I browse almost exclusively through TOR.   None of these security mechanisms is emplaced when links are opened in a TBird tab.