SOGo connector for Thunderbird
Hello all,
First of all, I hope this question has not been asked yet; I'm sorry if it's the case.
Actually, after Zindus reaching its end of life a year ago, I'm looking for a new way to synchronize my contacts, managed by Zimbra, with Thunderbird. In this context, I'd like to know what the Thunderbird community thinks about the SOGo connector for TB (http://www.sogo.nu/fr/downloads/frontends.html). In particularly, why is this add-on not installable through Thunderbird interface?
Thanks a lot in advance for your help,
Cheers,
Neirda
Chosen solution
Security is always a difficult question to answer. Certainly the stuff at add-ons.mozilla.org (AMO) does go through a code scrutiny process by moderators there. But the source code is from all over and the scrutiny is only as good at the person making the examination on the day. SOGO is an established open source project, so if security is really a worry, you can always hire someone to look through the source code. That is what AMO does. At a personal level I do not have to many worries about security of SOGO simply because it is open source, the code can be examined and it would be a brave project hat would mess in their own nest with malware etc in their package.
On the other hand, the connector is only a part of the SoGo package, a tool to connect to their groupware server software. A live demo of which can be accessed here http://www.sogo.nu/tour/online_demo.html The fact it can be used for other things is just a bonus for the community really and a byproduct of them using standards based protocols.
On a practical level many anti virus vendors insert add-ons into Thunderbird when you install their packages. These are what your calling unofficial as well (they are not on AMO). Given that many of them intercept and decode SSL encrypted communications, I would be more concerned that they have a backdoor for three letter government agencies and I would be about the sogo connector. My trust in internet privacy died a long time ago! but I still trust open source unless there is a reason not to, simply because source code is available.
Read this answer in context 👍 1All Replies (4)
Add-ons must be hosted on add-ons.mozilla.org for Thunderbird to find them but the add-on is installable, I installed it only a couple of weeks ago.
See http://chrisramsden.vfast.co.uk/3_How_to_install_Add-ons_in_Thunderbird.html
Hi Matt,
Thanks a lot for your answer and this explanation!
Actually, as this add-on is not listed in add-ons.mozilla.org repo, I guess it's not an official one, and I'm always very careful with this kind of developments... Basically, is there, according to you, any security issue? I don't want my organization LDAP to be hacked because of an unofficial add-on...
Thanks a lot,
Neirda
Modified
Chosen Solution
Security is always a difficult question to answer. Certainly the stuff at add-ons.mozilla.org (AMO) does go through a code scrutiny process by moderators there. But the source code is from all over and the scrutiny is only as good at the person making the examination on the day. SOGO is an established open source project, so if security is really a worry, you can always hire someone to look through the source code. That is what AMO does. At a personal level I do not have to many worries about security of SOGO simply because it is open source, the code can be examined and it would be a brave project hat would mess in their own nest with malware etc in their package.
On the other hand, the connector is only a part of the SoGo package, a tool to connect to their groupware server software. A live demo of which can be accessed here http://www.sogo.nu/tour/online_demo.html The fact it can be used for other things is just a bonus for the community really and a byproduct of them using standards based protocols.
On a practical level many anti virus vendors insert add-ons into Thunderbird when you install their packages. These are what your calling unofficial as well (they are not on AMO). Given that many of them intercept and decode SSL encrypted communications, I would be more concerned that they have a backdoor for three letter government agencies and I would be about the sogo connector. My trust in internet privacy died a long time ago! but I still trust open source unless there is a reason not to, simply because source code is available.
Hi Matt,
Thank you so much for your very detailed and illustrated answer, I really appreciate that.
What you say really makes sense to me, and I'm glad to learn more about Mozilla's processes in terme of Security and code inspection.
Have a great day,
Neirda