Privacy and Security for Thunderbird Users
The NuevaSync team includes software engineers who have been users of Thunderbird and its ancestors since 1995. We've also written code for some of the Mozilla libraries used by Thunderbird (NSPR and LDAP). We share the Mozilla Foundation's historically strong commitment to maintain their user's privacy and to secure their data. To learn more please read the NuevaSync Privacy Policy. Any security-related questions and concerns should be sent directly to our Security Response Team
NuevaSync Thunderbird Add-On Security Information
Communication between the Add-On running inside Thunderbird on the desktop and NuevaSync's servers is protected by TLS/SSL.
NuevaSync servers will not accept un-encrypted connections, so even if the Add-On code is modified to attempt plain text communication it will not succeed.
Sync status information displayed by the Add-On in Thunderbird's status bar is fetched securely from NuevaSync's servers. Access control is implemented with a token scheme that does not require the password to be stored. The token only grants access to device sync status. Its possession does not allow for example any configuration changes to be made. Tokens issued in this manner may be revoked using the NuevaSync Control Panel web site, on the Account Settings page. For example if a laptop had the NuevaSync Thunderbird Add-On installed and was lost or stolen it would be prudent to use the Control Panel to revoke access tokens to prevent an unauthorized person from viewing your device sync status.
Sync status data displayed, does include a device unique ID; information about the time of day the device is active and the time of arrival for email messages (but no message content).
NuevaSync servers always use Cryptographic Certificates signed by a Certificate Authority present in Thunderbird. Self-signed or expired certificate are never used. Therefore any certificate validation error related to the use of our services should be treated as an indication of an attack. Do not override certificate validation.
Prior to un-installing the Add-On, users should remove any stored username and token (Thunderbird's add-on removal process does not delete this information). Follow the process to change username then click the "Remove"Stored Settings" button.
The Add-On uploads the following information to NuevaSync's servers when the user asks it to create a NuevaSync account: IMAP server host name and port; SMTP server host name and port; mail server username; mail server password. Transmission and password storage is protected with encryption.