TBCK doesn't document every toggle because everyone can Google what each setting really changes and most of them are self-explaining anyway or they getting changed/removed by Mozilla after some time.
- Mozilla Thunderbird: 68.5.0 (Changelog) + 74 Beta 2
- Thunderbird via Microsoft Store - Partially supported
- Eudora & Interlink Mail & News - Not supported!
Please remember to backup your original prefs.js file before you add the modified user.js file into your profile folder!
This repository contains a list of about:config settings that I have changed for both preferential reasons, and also privacy and security reasons.
- OpenPGP - Thunderbird 78 (stable)
- Autocrypt (also known as EPKS = Echo Public Key Sharing)
- JPAM is only secure with specific (and well known) RFC's
- Remove/disable all Thunderbird telemetry
- Remove/disable all "startup connections"
- Reduce all traffic caused by "unneeded startup connections".
- Prevent leaks & exposures caused by fingerprinting attacks
- Disable all sync/monitoring/pocket & other "useless" features
- Provide a configuration which does not break too much
- Reduce possible attack scenarios (security)
- Remove/disable insecure protocols
- Enforce stronger ciphers - algorithm for performing encryption or decryption to migrate possible attacks
The user.js files are usually identical. The only difference is that the windows version has Windows friendly carriage returns which you need to change yourself if you like to use the configuration on your Linux OS.
In case you like to upgrade your x86 (32-Bit) Thunderbird to a 64-Bit (x64) version, you actually have to uninstall the x86 version first otherwise you have two installations and two profiles.
Your default profile is stored under %AppData%\Roaming\Thunderbird\Profiles, backup the content first, the default folder for your current profile is in a folder called xxxxxdefault. Just copy or "zip" the folder, so that you get a fully functional backup. Uninstall the old x86 version and install the new x64 version, copy your backup into your profile folder and start Thunderbird.
In Thunderbird, you can get into the about:config window by going to
Edit -> Preferences, then select the Advanced panel, and then select the
General tab. Now click Config Editor.
In short, you can either go to the URL about:config and search for the configs
manually and set them, or you can move the user.js file to the
profile folder which differs across
operating systems.
extensions.strictCompatibility is set to false, since Thunderbird 60.0 Beta 8 all add-ons which aren't labeled as Thunderbird 60 compatible otherwise won't load anymore.
I recommended the following extensions, so you might find extension specific flags in the user.js file, even if you're not using them, it's not needed to remove them manually from the configuration since they getting ignored by Thunderbird.
- (not an addon) mailspoof - Small tool to quickly scan large list of domains for misconfigured SPF and DMARC records.
- Allow HTML Temp
- Copy Folder
- DKIM Verifier
- Encrypt if possible
- KeeBird
- Logout
- MEGAbird
- Paranoia
- ProtonMail Bridge or hydroxide (optional)
- ReloadPAC
- Secure Addressing
- Sensitivity Header
- TorBirdy
Engimail(Addon will be integrated into TB v78, it will be installable until v68)Great DANE - incompatible with TB 60+MinimizeToTray ReanimatedKeepInTaskbar + BirdTrayStego Block - incompatible with TB 60- uBlock
The extension is not officially available at the Thunderbird Store (AMO), however you can manually install the extension by downloading the uBlock0_[version].thunderbird.xpi from the official source and then drag & drop it into Thunderbird's Add-ons Manager pane.
The profiles.ini file (%APPDATA%\Thunderbird\Profiles\profileName) is a plain-text file, it can be easily opened, viewed and edited, with a text editor such as Notepad or any other editor. Whenever multiple profiles exist, it will automatically include an original "default" profile and additional profiles under custom locations (IsRelative). This is interesting if you work with multiple profiles or in case you like to move your profiles.
Example with multiple profiles
[General]
; 1= Does not ask you at startup to load a specific profile
; 0 = Ask you each time.
StartWithLastProfile=1
[Profile0]
; Default profile will always created.
Name=default
; Custom profile location (1=yes/0=no).
IsRelative=1
Path=Profiles/12345678.default
[Profile1]
Name=alicew
IsRelative=0
Path=C:\Mozilla\Firefox\Profiles\testp
Default=1
[Profile2]
Name=sheldon
IsRelative=0
Path=V:\Mozilla\Firefox\Profiles\test2DO NOT enable the function to allow your AV to scan your inbox, disable this in your AV program AND in Thunderbird.
The problem with this function is a possible security risk. This function not only allows the AV engine to scan the files it also opens the emails to inspect it's content and attachment which might trigger certain things, like placing a cookie or to let the original transmitter know if you read it or in the worst case scenario (if it's really spam) to trigger an automatically subscription.
In the recently published "Johnny-You-Are-Fired" (paper) publication we learned that the signature check can be bypassed.
What can (currently) be abused?
- Exploiting the CMS (Cryptographic Message Syntax) flaws
- Performing GnuPG API injection attacks
- Constructing non-standard MIME trees
- Displaying valid ID on the email header with a false signature
- Mimicking valid signatures on the UI by using HTML and CSS
So how do we migrate this in order to protect ourselves?
We disable/block HTML-Code in eMails and we disallow to download third-party content (both is already done via our hardened user.js). The rest must be fixed within the plugins because the mentioned attacks are not targeting the OpenPGP or S/MIME standard or underpinning cryptographic primitives they are basically abusing various flawed implementations.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent