Thunderbird 115 and Signatures Using The Obsolete SHA-1 Algorithm
As part of our continuing efforts to strengthen the security of Thunderbird, a change was made in version 115.0 that rejects the use of the SHA-1 algorithm in digital signatures of S/MIME emails.
The SHA-1 algorithm is nowadays considered insecure in most contexts, which includes digital signatures, as explained in the related Wikipedia article.
Because of the change in Thunderbird 115, when an affected message is displayed, an invalid signature will be reported.
You can spot such messages by looking at the message source, and search for the text micalg= in the message headers. If it is followed by the text sha-1 or sha1, you should contact your correspondent and ask them to upgrade.
Most modern email software that supports S/MIME should already be able to use another hash algorithm, for example SHA-256 is a more modern alternative. It might be necessary to change a setting to enable its use.
The Thunderbird team was recently made aware that the use of SHA-1 is still required in some environments, as some government agencies continue to send out messages based on SHA-1. Recipients of such messages asked for a way to confirm the validity of such signatures, despite the risk that the signature could have been forged.
To accommodate those Thunderbird users, starting with version 115.4.1 a new configuration mechanism will be made available. It can be used to accept S/MIME signatures based on SHA-1. To enable it, use Thunderbird’s settings, access the advanced config editor, search for the setting mail.smime.accept_insecure_sha1_message_signatures and set it to the value true.
Note that changing this setting is not recommended, and if you decide to set it, you should work with your correspondents to get them to change to SHA-256 or newer as soon as possible. Once your correspondents have upgraded, you should revert the setting to false.
Changing the setting will have no effect on the messages that Thunderbird sends. Thunderbird uses SHA-256 when sending digitally signed S/MIME email messages, and has been doing so for several years already.
The Thunderbird team understands that it might seem early to demand the deprecation of insecure algorithms while other software is still using it, given the incompatibilities that some users experience. However, aligned with our mission to increase the security of users, we hope that our actions can raise awareness and motivate deployments to upgrade to more secure settings, which otherwise they might not have done.