Thunderbird and end-to-end email encryption – should this be a priority?

In the last few weeks, I’ve had several interesting conversations concerning email encryption. I’m also trying to develop some concept of what areas Thunderbird should view as our special emphases as we look forward. The question is, with our limited resources, should we strive to make better support of end-to-end email encryption a vital Thunderbird priority? I’d appreciate comments on that question, either on this Thunderbird blog posting or the email list tb-planning@mozilla.org.

"I took an oath to defend the constitution, and I felt the Constitution was being violated on a massive scale" SnowdenIn one conversation, at the “Open Messaging Day” at OSCON 2015, I brought up the issue of whether, in a post-Snowden world, support for end-to-end encryption was important for emerging open messaging protocols such as JMAP. The overwhelming consensus was that this is a non-issue. “Anyone who can access your files using interception technology can more easily just grab your computer from your house. The loss of functionality in encryption (such as online search of your webmail, or loss of email content if certificates are lost) will give an unacceptable user experience to the vast majority of users” was the sense of the majority.

Woman In HandcuffsIn a second conversation, I was having dinner with a friend who works as a lawyer for a state agency involved in white-collar crime prosecution. This friend also thought the whole Snowden/NSA/metadata thing had been blown out of proportion, but for a very different reason. Paraphrasing my friend’s comments, “Our agency has enormous powers to subpoena all kinds of records – bank statements,  emails – and most organizations will silently hand them over to me without you ever knowing about it. We can always get metadata from email accounts and phones, e.g. e-mail addresses of people corresponded with, calls made, dates and times, etc. There is alot that other government employees (non NSA) have access to just by asking for it, so some of the outrage about the NSA’s power and specifically the lack of judicial oversight is misplaced and out of proportion precisely because the public is mostly ignorant about the scope of what is already available to the government.”

So in summary, the problem is much bigger than the average person realizes, and other email vendors don’t care about it.

There are several projects out there trying to make encryption a more realistic option. In order to change internet communications to make end-to-end encryption ubiquitous, any protocol proposal needs wide adoption by key players in the email world, particularly by client apps (as opposed to webmail solutions where the encryption problem is virtually intractable.) As Thunderbird is currently the dominant multi-platform open-source email client, we are sometimes approached by people in the privacy movement to cooperate with them in making email encryption simple and ubiquitous. Most recently, I’ve had some interesting conversations with Volker Birk of Pretty Easy Privacy about working with them.

Should this be a focus for Thunderbird development?

75 responses

  1. Faldrian wrote on :

    I’m currently using the enigmail plugin to do encryption and it works quite nice. But as you already stated, the content of encrypted messages is not included in search results (since the search uses an index and the index does not store decrypted messages – that is good!).
    I would like encryption to be part of the core of thunderbird or possibilities of better integration of enigmail – when you would add a way to also search encrypted messages (decryption on-the-fly for encrypted messages, using the search index for plaintext-messages) this would be a bit step forward and a USP for this mail client. 🙂

    1. Ronan Jouchet wrote on :

      Yes! I have the exact same request as Faldrian: I *want* to use Enigmail (or any other encryption solution nicely integrated to Thunderbird), but the convenience loss due becoming unable to search archived messages is too big.

      Un-breaking search would be a big win and would be one less obstacle in the way of enabling to end-to-end encryption for many users.

      1. switch wrote on :

        IMAP is the issue here.
        I understand that being able to search mails is very convenient, but having your mails available on the server is also nice to have as a backup.
        So having a local searchable database and encrypted mails on the server would be my favourite solution.

    2. Tim wrote on :

      Or maybe encrypt the index with one of the private keys as well so that people can search as long as it’s loaded into memory.

      1. Pfalzgraf wrote on :

        I am a lot less concerned about thunderbird having access to your encrypted emails. If your computer is compromised then no amount of security on thunderbird’s side will keep your information safe. To make encryption more ubiquitous, I would prioritize making the experience of using encryption no different from not using encryption.

        1. Tim wrote on :

          Totally agree. I think the expectation when people mail (or chat) with someone else that they are only talking to the other side should be fulfilled by encryption at a lower layer (although there will always be a fundamental step to do out-of-band key verification, if you want to be really sure).

        2. Martin wrote on :

          I agree. Encryption integrated into Thunderbird without sacrificing user experience (e.g. search using index) would be my preferred solution.
          Thanks,
          Martin

  2. Tim wrote on :

    “The overwhelming consensus was that this is a non-issue. “Anyone who can access your files using interception technology can more easily just grab your computer from your house. The loss of functionality in encryption (such as online search of your webmail, or loss of email content if certificates are lost) will give an unacceptable user experience to the vast majority of users” was the sense of the majority.”

    Although this might be true, there is an enormous difference in visibility. While network owners and intruders can tap your data without you knowing, someone stealing your computer will definitely be noticed (and alarms) the owner. Therefore AFAIK transport encryption has it’s use in stopping passive mass surveillance.

    “There is alot that other government employees (non NSA) have access to just by asking for it, so some of the outrage about the NSA’s power and specifically the lack of judicial oversight is misplaced and out of proportion precisely because the public is mostly ignorant about the scope of what is already available to the government.”

    Interesting, still the whole point of Snowden was that things happened in secret, people were kept out of the loop and so were unaware. The fact that most are unaware of much more is only more reason to keep shining light on more secret stuff that should be vetted by the public, at least if you want to do it democratically.

    1. Tim wrote on :

      From Silent Circle about ZRTP (secure VoIP) [1] and attackers that don’t want to be detected:
      “Remember that the attacker places a very high value on not being detected, and if he makes a mistake, he doesn’t get to do it over.”

      [1] https://silentcircle.com/products-and-solutions/technology/zrtp/#is-the-short-authentication-string-sas-vulnerable-to-an-attacker-with-voice-impersonation-capabilities

    2. Aas wrote on :

      “Anyone … can more easily just grab your computer from your house.”
      It takes enormously more resources to seize millions of computers from “homes” than massive surveillance online.
      Besides, anyone can encrypt his hard drive with a click of a button during OS installation these days.

  3. Hervé wrote on :

    Ken, I forwarded your question to our french readers : Le chiffrement de bout en bout doit-il être une priorité de Thunderbird ?. Best regards.

    1. Hervé wrote on :

      Sorry, Kent!

  4. Rafi wrote on :

    I think yes.

    I often try to get my friend and family into all this privacy issue and I must bring an easy solution to help them using mail encryption for example. But I can’t explain them all the GPG thing because I know it’s too difficult for them, and they don’t want to bother with this.

    If Thunderbird had such a built-in feature I will be pleased to use it and to spread it as mush as I can.

  5. David Ross wrote on :

    The argument by law enforcement for weakened encryption is invalid. It would expose my credit card numbers and tax returns (encrypted on my PC) to criminals. In the meantime, the government has proven more than once that it cannot keep its repositories of data secure.

    Yes, criminals, terrorists, and foreign agents might use encryption to communicate among themselves. They also use money. Are we to impair the flow of money in our economy for everyone because of some miscreants? They eat, but we surely are not going to restrict the general distribution of food.

    As a retired computer software test engineer — with over 30 years experience working with highly classified systems used to operate space satellites for the U.S. military — I know that the use of any weakness introduced into encryption methods cannot be restricted only to law-enforcement. Either encryption will be weak for everyone, or else it will be strong for everyone.

    Thunderbird should support OpenPGP, either internally or via external applications. However, see bugs #22687, #285715, #363302, and #415083.

    https://bugzilla.mozilla.org/show_bug.cgi?id=22687
    https://bugzilla.mozilla.org/show_bug.cgi?id=285715
    https://bugzilla.mozilla.org/show_bug.cgi?id=363302
    https://bugzilla.mozilla.org/show_bug.cgi?id=415083

  6. Naos wrote on :

    For what i see for now, Enigmail seems to provide a good (not perfect) solution on the matter and can be used as well with webmail. The good solution would be maybe include it within Thunderbird on download and add a few options/explanations on how to use it.
    On the other hand, the bug on Lightning freezing thunderbird [since years !] with distant calendars seems a lot more critical to solve (but it seems there’s a change … today :p)

  7. Mebug wrote on :

    As Facebook allows adding a personal OpenPGP public key to profile settings and thus encrypt notification emails sent (experimental feature rolled out in June 2015) I think Thunderbird should have OpenPGP feature build-in (Enigmail is a first candidate). FB move could be a milestone in encrypting email messages and potentially every big player can allow for this in the future. Hope so…
    Read the story at: http://arstechnica.com/security/2015/06/facebook-users-can-now-add-openpgp-keys-for-improved-email-security/
    BTW: I hope new Firefox add-on policy will not kill all Thunderbird extensions quite soon.

  8. platypus wrote on :

    This should absolutely be a priority. To be honest, I have a hard time to understand why “anyone who can access your files using interception technology can more easily just grab your computer from your house”. First, siphoning data off a provider seems to be much easier than going to individual homes and grabbing hardware (and, in fact, we have plenty of evidence that the former happens and the latter doesn’t happen on any large scale). Second, as other commenters noted, breaking into homes is hard to do without anyone noticing while it’s incredibly easy at the provider. The whole Snowden debate teaches us the opposite lesson of that claim.

    As far as practical considerations go, there are two low-hanging fruit:

    1) Integrating Enigmail by default. Look at what the German providers Web.de/GMX have done in terms of onboarding
    2) Integrate OTR encryption into Thunderbird Chat. This is almost done (https://bugzilla.mozilla.org/show_bug.cgi?id=954310) and there is a sizable bounty (https://www.bountysource.com/issues/5925617-add-support-for-otr-and-encrypted-chats)

    As for the longterm view, collaborate with other people in the OpenPGP community on things like Secure Key Sync to improve the user experience of PGP users (https://blog.whiteout.io/2015/07/06/standardizing-secure-pgp-private-key-sync/)

  9. Jörg Wartenberg wrote on :

    Yes, this should be definetally the main focus of the future Thunderbird development!

    End to End encryption ist a feature that will only work with a real email-Client. Have a look what TextSecure from Moxie Marlinspike and friends made for short messages. An easy to use, but highly secure communcation system, that even my girlfriend like to use. This is what Thunderbird should be for email.

    I would never trust Webmail systems, because I don’t know where the software comes from. Even if the encrypt End2End using Javascript in my Webbrowser, I can’t verify that this software is not modified by an attacker. With a fat client like Thunderbird, I can download the binaries and can verfiy by checksum that it’s a binary that a trustful organization audited.

  10. Haakon wrote on :

    “just grab your computer from your house” Point to point encryption aside, it was that which worries me the most, burglary or otherwise. I have for as long as TBird has been around been wanting the option to enable a password to open the app and for encryption of the local mail folders. The lack of these is why I run Haller’s PortableApps version from a dedicated VeraCrypt (previously TruCrypt) container.

    1. Ken Saunders wrote on :

      Haakon
      “I have for as long as TBird has been around been wanting the option to enable a password to open the app”

      StartupMaster
      “This extension is a minor enhancement for Firefox & Thunderbird. It asks your master password every time you start the application before the main window is displayed.”
      https://addons.mozilla.org/thunderbird/addon/startupmaster

      It is not perfect or entirely solid and can be easily circumvented by someone who knows what they’re doing.
      At best, I’d say that it can protect you from nosy people at home from reading your emails.
      Since every little step makes it all that much more difficult and time consuming for someone to pry into your stuff, one other thing that you can do is hide folder and program icons and titles.

      To use a blank title under icons in Windows, right click on the icon > select Rename > press and hold the Alt key and press 255 on the -> keypad Properties > Customize > Change Icon. Windows offers a blank one but it has a faint border. Making your own is easy. Saving that icon in a directory on a portable drive is a good idea if you want to use this method on such drives.
      Change the “Sort by’ order of your icons so that that blank one is last.
      It’s true that simply hovering over the blank icon will show something, but that’s unlikely to happen if you have other non-hidden things in a folder. People go for the obvious, they don’t spend time hovering over plain white areas.
      Just another step to make it difficult for snoopers.

      1. Ken Saunders wrote on :

        My paste job got messed up here.
        If you want to hide the title for multiple icons in the same folder/directory, press and hold the Alt key and press 255, let go, then press and hold the Alt key and press 255 again. If you have 4 titles to hide, press and hold the Alt key and press 255 4 times.

        Change the icon by right clicking on it > Properties > Customize > Change Icon. Windows offers a blank one but it has a faint border. Making your own is easy. Saving that icon in a directory on a portable drive is a good idea if you want to use this method on such drives.

      2. Haakon wrote on :

        Thanks for the suggestions. I’d assumed by my process in running a portable app in an encrypted container would impart an expertise beyond that of the elementary methods you took so much time to elucidate. As well, this discussion is not about “nosy people at home” and “making things difficult.” That said, I’m sure some might benefit from a hidden things strategy.

        I should mention I run the portable version of VeraCrypt and it’s re-named folder is buried way down in the Windows tree and the container is named like a system file buried elsewhere and protected by Serpent and a 32-character password. This is a strategy to combat “nefarious people not at home” and efforts toward “making things impossible.”

        BTW, backing up the encrypted container file daily to a flash drive and a NAS store, over the years I’ve never lost my email.

        Regards.

  11. Jeroen wrote on :

    I think both conversations bring up flawed arguments.

    Regarding the former, intelligence agencies of governments wiretap on a truly massive scale, essentially wiretapping everybody collectively. The structure of the Internet made this easy. Comparing this with raiding your home completely misses the point, since raiding homes is clearly not something that can be done on such a massive scale. If we use encryption technology to combat the massive nature of surveillance, we force intelligence agencies to focus on specific targets again, which would be a major privacy benefit for the general public.

    Regarding the latter, research tends to indicate the problem is not that people don’t care about privacy, but don’t know how to protect their privacy. They don’t accept all the flawed privacy policies on the Internet because they like them, but because they perceive no alternative. Petitions calling for NSA reforms will likely have many signatories who would like to use e-mail encryption but don’t because it’s to difficult to set up and operate, just like many opponents of Facebook’s privacy policy keep using Facebook because not only having privacy but also having a social life is important.

    So to answer your question, YES, Thunderbird should invest in making encryption easier and more ubiquitous, preferably even the default where possible. You will provide many people an option of privacy which was previously non-existent to them. Make it as easy as HTTPS Everywhere and enable it by default.

  12. Michael wrote on :

    Even as a computer scientist, I have NEVER sent or received a PGP-encrypted e-mail for non-testing reasons in the last ~7 years, although me and many of my contacts have PGP keys. The reason is quite simple: If I lose my key, I cannot read the mail any more, and (at the moment) I consider the probability of losing my private key a lot higher than that of being interesting for the NSA and friends so they would access mail at my provider. Moreover, there are even more reasons such as not being able to search the content of encrypted mail. For daily use, I find it more important to use a mail provider that I can trust and that uses a secure and verified server-to-server encryption for delivering my mail (this has, in the last months and years, become the case for probably all larger mail providers in Germany as a consequence of Snowden leaks). Living in Germany, if the police or an intelligence agency is allowed to read my email directly at my provider’s server, they could (regarding laws) probably also just enter my home and take my computer with them.

    Nevertheless, I find it important that, if I really want to, I can encrypt my mails end-to-end. But that is already the case using the Enigmail plugin, and even some web mailers of my providers have PGP-support (probably additionally requiring a browser-plugin) integrated now. Shipping Enigmail by default may, of course, be a good way to improve the out-of-the-box features.

    Regarding Thunderbird development, I would find features such as support for CardDAV as backend for my contacts or (as a “smaller” example) being able to use the RSS reader with self-signed etc. certificates (you cannot use a (https) feed at all at the moment if Thunderbird does not trust its certificate by default) much more important than another PGP implementation than that provided by Enigmail.

  13. Wade wrote on :

    I would say yes, end-to-end encryption should be a priority for Thunderbird. ‘Trust’ is an important aspect of email, but unfortunately not everyone is able to understand the dynamics of PGP so easily. Providing strong crypto with a great deal of usability should be heralded, so I therefore support any effort by Mozilla to make end-to-end crypto a priority in Thunderbird. Mozilla has been taking some great steps in promoting privacy, I think this would be another bold move forward.

  14. Vulcain wrote on :

    It’ a great idea \o/

    I think Thunderbird should go in two directions:
    * use end to end encryption and give a better privacy for their user. Of course, this must be interoperability end-to-end, not specifically for Thnderbird’s users.
    * show the level of the encryption when they use email. It’s the goal of the projet CaliOpen, if i’m good understand (https://caliopen.org/)

    I explain, the second point. For a lot of users, Internet, email, computer is like magic and a geek who could use it and hack it are a rock star. By consequent, a lot of them think the mail is a secure communication, from field say always the thrust.

    I think Thunderbird should show the level of the confidentiality of the email:
    * your SMTP use or not TLS between Thunderbird and him
    * your SMTP don’t allow other SMTP to connect to him with TLS ( google push to it show the bad SMTP: https://www.google.com/transparencyreport/saferemail/ )
    * your SMTP keep your local IP in email header
    * Thunderbird is configured to allow picture in html email
    * Your mail provider don’t use DKIM or SPF
    * your mail provider allows a connexion without login/password
    etc …

    1. Ken Saunders wrote on :

      Something I use.

      Paranoia
      “Check if your emails arrived TLS-encrypted (and which corporations were able to read it nevertheless)”
      “This extension shows two basic pieces of information in the incoming email header pane:
      Was the connection encrypted at all the time when this message was sent between servers?
      Which large corporations had a copy of this message and, theoretically, could read it?”

      https://addons.mozilla.org/thunderbird/addon/paranoia/

  15. Ian Thomas wrote on :

    No. Like it or not, encryption is a niche feature and, given the available resources, well suited to being implemented by an extension. If extensions need additional APIs etc then these should be added.

    Encryption will only become mainstream if someone with more marketshare than Thunderbird finds a way to enable it by default. That’s going to need some form of web service to transparently handle creating, storing and sharing keys. I can see how a webmail service could implement that, but I can’t see how client software can overcome the usability issues.

  16. eduardo wrote on :

    not that I wouldn’t like encryption, but stop trying to fix a flawed protocol.

    email wasn’t designed with privacy in mind.
    PGP & GPG wont solve this issue.

    and we still have the metadata problem

    1. Bill B wrote on :

      > Email wasn’t designed with privacy in mind

      True.

      > PGP & GPG won’t solve this issue.

      Right, they are just a piece of the solution.

      > and we still have the metadata problem

      Indeed, but an encrypted body is definitely a step in the right direction.

  17. grey wrote on :

    Yes! Please!

  18. Ka wrote on :

    I would definitely appreciate included end-to-end encryption in Thunderbird. And it’s the only feature I’m really missing, which is why I use enigmail.

    On the one hand I know lots of people (friends, family, colleagues, even some of my pupils) who would like to use encryption but don’t get an addon like enigmail up and running on their own. On the other hand there are lots of people who are just not aware of email not being as private as they think: “Nobody cares for my emails.” Which is for most people true on an individual, analogue basis, i.e. nobody would pay a private detective or a burglar stealing the hardware in order to get the information. But automated surveillance is a totally different matter, since it’s easily done for the big companies and agencies. Those people would at least have a reason to rethink if email-clients would offer encryption by default.

    Nevertheless storing the private key safely is a problem, doing a backup has to be mandatory, since loosing the key is simply not an option. Storing the emails encrypted and therefore not indexing them is definitely the safest way. But I think it would be nice to have the option of storing the email locally unencrypted. Sure, that does not help against the burglar and neither against local viruses and the like. And while the latter is a problem because of the high percentages of infected computers, the former is the “normal analogue way”: When receiving an important letter in an envelope, normally people just put it into a folder in the shelf without rewrapping it and without using a safe, which also does not help against thieves.

    1. Pfalzgraf wrote on :

      If you are worried about losing your private key or having it compromised then generate it on an air gapped computer (aka raspberryPi or something similar) and make sub keys that you use on a daily basis. That way you can revoke your sub key whenever you think it might be compromised and still keep the web of trust you have generated by just making another sub key.

      Why would you care about keeping the email’s encrypted on your machine? If your computer is compromised then when you decrypt your emails to view then they can be copied. If this bothers you then try Qubes. You can create “air gapped” virtual machines to store your more sensitive data.

  19. TBird Vet wrote on :

    > The overwhelming consensus was that this is a non-issue. “Anyone who can access your files using interception technology can more easily just grab your computer from your house. …”

    This is incorrect in many ways, and a much bigger concern is that it reflects a dangerous lack of understanding about security. Not everyone can be a security expert, but Thunderbird needs someone who possesses expertise and sophisticated skills in this area to help with these decisions.

    1) For attackers who have the capability to enter your home, almost always governments, clearly it’s still easier to collect data remotely. Not only do they save the resources of sending skilled personnel to your location, remotely they can collect your data as part of bulk surveillance.

    2) The existance of a workaround for the attacker (e.g., if data is encrypted on the wire, go to the user’s home) doesn’t negate the value of security. There is no perfect security; all security can do is raise the cost for the attacker. I think encrypted email greatly increases the marginal cost of collecting your data when it goes from from near-zero (either you’re already part of bulk surveillance, or simply adding your address to a whitelist of addresses to monitor) to the cost of sending personnel to your home, removing your computer, and doing forensic analysis on it.

    3) For the great majority of users, governments are a relatively small threat. The biggest threats to privacy, by far, come from businesses, such as ISPs, vendors of other software on their devices, and email providers, and from malware.

    4) The attackers listed in #3 will never enter the user’s home and physically access their computer. What many will do, including ISPs, is read the emails on the wire and on hosted mail servers.

  20. David VANTYGHEM wrote on :

    Yes, I think it would be an important feature. But which encryption algorythm is really the best choice, the most secure ?

  21. SĂ©bastien wrote on :

    A native PGP should be wonderful !!!

  22. Pierre wrote on :

    How about a close collaboration with Dark Mail (DIME) ?
    I know some Thunderbird developpers already got some contacts with them. Last time I checked, the specifications about their new protocols were almost finalized but for some reason, they had to made a fock of Thunderbird called Vulcano (that isn’t publicly available yet) for implementing their new protocols.

    I find this a bit sad that there is no closer collaboration because I think these people know what they are doing and honestly POP, IMAP and SMTP are outdated protocols, and we all know that PGP (already available with Enigamil BTW) doesn’t solve all the issues (although it clearly better than nothing).

    Working together could be a win-win: for them to have less work on the development of the client and to beneficiate from the experience of the Thunderbird developpers and for Thunderbird that could be the very first client that supports these protocols: free marketing as lot of media would speak of this, new users who would install and use thunderbird, and it’s in line with the objectives of the Mozilla fundation, isn’t it?

    1. Elliott wrote on :

      I completely agree with this. The first place to implement DIME is where I’m heading next.

  23. Coin wrote on :

    +1 excellent idea. Provide GnuPG email as a standard (in full transparency: thunderbird public server that hosts public keys database; we put our private key once when starting a thunderbird session and then enjoy ^^)

  24. Ingo wrote on :

    YES, YES, YES, native GPG/PGP would be super great!

  25. Patrik wrote on :

    Yes! Thank you.

  26. Stéphane wrote on :

    Yes, it would be greatly appreciated!!

  27. petr wrote on :

    Encrypting in Thunderbird? Yes, yes, yes. Thank you

  28. Henri wrote on :

    Yes, I think that should be a priority, it will bring encrypt emails to non-technical users. So the technical users can communicate with them via encrypted messages.
    I am using Enigmail and ProtonMail, but most of my mail isn’t encrypted. If I encrypt all my mail, I will communicate with less than 10% of my contacts ….

  29. Satai wrote on :

    Please help solving the chicken/egg problem and spread e2e encryption.

  30. KS wrote on :

    YES. Mozilla already supports Tor and other privacy initiatives. This would be fantastic to have an end-to-end encrypted, user-friendly email client. The first of its kind, as far as I know.

  31. Tomas Rusnak wrote on :

    Yes. Native support will be better.

  32. Dis wrote on :

    I consider transport security to be the most imporant aspect. I would like every part of the email encrypted, subject, content, headers and even recipients if possible.

    Encrypted storage is definitely not a priority, the OS does that very well already.

  33. Mitch wrote on :

    Yes!

  34. MikeMike wrote on :

    A native solution that just works and one is vetted by Mozilla would be spectacular. Not just for those who know they need it, but for the users that should, but don’t.

  35. Tim wrote on :

    related discussion on HN: https://news.ycombinator.com/item?id=10122242

  36. Gary Gapinski wrote on :

    I like Pfalzgraf’s comment: “To make encryption more ubiquitous, I would prioritize making the experience of using encryption no different from not using encryption”.

    I am currently quite pleased with the inbuilt S/MIME signing and encryption capabilities of Thunderbird using certificates and key pairs stored in PKCS11 hardware and software containers. Likewise its support of IMAP over TLS and opportunistic SMTP over TLS.

    I am uncertain whether GPG/PGP would be any easier, or prove more conducive to ubiquitous use.

    1. Orv wrote on :

      You make a good point. S/MIME already has some support in the business world. Services like StartSSL will generate a free personal certificate for you, which eliminates the argument of not wanting to pay for a cert.

      I like GPG/PGP, I think the technology is elegant, but if they haven’t caught on by now they’re not going to. Part of the problem is the whole “web of trust” concept has been a failure except in very close-knit developer communities. I think S/MIME looks like the way forward.

  37. AS wrote on :

    Well, of course, why ask? Just make it real simple to use. Thanks.

  38. BoerenkoolMetWorst wrote on :

    Yes to integrated OpenPGP or Enigmail!
    The searching through encrypted messages could be fixed by providing on-the-fly encryption/decryption of the entire message base, like The Bat! Professional does.

  39. Joe Anon wrote on :

    yes. Privacy is important and making it out-of the box experience will be useful for “average” users!

  40. LK wrote on :

    Please implement end-to-end encryption. As an email user this is one of the most important issues for me. I work for a company that uses Patient History Information governed by HIPAA, and this functionality would allow me to argue that we should move away from MS Office and towards open source tools like Thunderbird. Personally, I want to make it as hard for invasive/fascist/megalomaniacal governments and ‘hackers’ to easily obtain my financial and other personal data that flows through email.

    Thank you Thunderbird team.

  41. Sean Palmer wrote on :

    I think it should be a priority. The main reason is email sits around for a long time in many different places. If the webmail provider or an ISP or some level of government wants to look at my email, they should need to conduct an active attack. I don’t want anyone being able to to search through years of my old emails.

    I can still find my own emails by sender, recipient, and time, as well as stars and folders.

  42. Steven Hamilton wrote on :

    Just because there are other avenues for authorities to gain information shouldn’t negate the fact that we can tighten up our own domain. If, at some point in the hopeful future, we manage to legislate and close these legal loopholes that allows access to metadata through process, agencies WILL revert to the next best thing. If that is intercepting traffic, then that’s what they will do. All avenues of exposure need to be tackled.

    What I’d like to see in Thunderbird.

    * Transparent and built in PGP setup as part of the wizard.
    * Enabling AT LEAST signing by default
    * Encrypting by default if the recipient is known to have a PGP facility.

  43. Anne wrote on :

    Yes! Please support GPG! It would be super great

  44. Private Citizen wrote on :

    Yes! End-to-end encryption is perhaps the only hope for any sort of privacy. End-to-end might even mean email client to email client (with no SMTP server exposing meta data) … via WebSockets, WebRTC, or whatever. Simple and transparent integration with The Onion Router (TOR) might help as well.

    Besides just doing the right thing (to limit mass, automated, warrantless surveillance of everything on the internet), privacy protections might strongly differentiate Thunderbird. Even if such privacy protecting features were ‘optional’, the availability of such ‘open-source’ (and thus vettable) privacy features might make Thunderbird the first/best messaging client/app/platform.

  45. qwerty wrote on :

    Yes. It would be nice to have close connection with PGP.

  46. Tonda wrote on :

    Thunderbird has X.509 PKI and S/MIME support for ages and I am using it occasionally, where is it lacking? PGP is children’s toy.

  47. Nico wrote on :

    Yes, please ! We need big e-mail clients to start supporting encryption so that it becomes mainstream!

  48. TB_AdminUser wrote on :

    I think it is vital that Thunderbird have the APIs necessary for *extensions* to implement *different types of* end-to-end encryption. I also think it is vital that Thunderbird users not be restricted to using only those extensions which are signed/approved by Mozilla. Together, those will assure that users have the flexibility they need to choose which ever approach works best for them.

    I think it would be helpful if Thunderbird supported some form of end-to-end encryption out of the box. Something as simple as symmetric encryption using a passphrase that you manually enter when necessary, or that you assign to a recipient/sender via address book field, would be sufficient for many uses. I *think* it would be easy to implement as well. Thus making it a viable option even in a limited resources context.

  49. Paul R. Rogers wrote on :

    Open GPG or Dark Mail please

  50. albatros wrote on :

    Yes, OpenPGP integration to make Thunderbird a safe communication tool.

  51. Hugo Thiessard wrote on :

    Yes ! End-to-end encryption would be one step further to Mozilla for spread the importance of privacy and encryption. By making it ergonomic and integrated, it would be more easy for average users to use it or discover it.

  52. charlesay wrote on :

    End-to-end encryption is an essential property of free digital communication.
    given that gpg is the most commonly used somewhat reliable tool we have to do end-to-end enc. in email, thunderbird should provide the most usable and secure interface possible for it.
    but ultimately the architecture of trust in pgp (until it supports tofu, which W. Koch is apparently planning), makes it hard to use securely. because of that, it would be valubale to also look at alternative solutions like textsecure and pond and see how they could be facilitated by thunderbird (or, probably better, a fresh environment mozilla might help to develop).

  53. John Shea wrote on :

    Kent,

    First and foremost, thank you for your continued work in support of Thunderbird. For my needs, this is the best desktop email client available on any platform, and by a wide margin. That this has been the case for so many years, it says a lot about the quality and care that goes into this product. My gratitude goes out to you and the team.

    Regarding focus and priority, I don’t feel that end-to-end encryption is it. I’m sure it’s a feature that is of interest to some, but I can’t see it as a top priority. Even among those interested, there are problems. It’s typically difficult to set up for those who are non-technical and just want it to work. And for the same audience, there’s a bit of a false-promise of security for reasons you mention in your post. So, even among the subset of users who would be interested, it’s an even smaller subset who won’t be scared off by the configuration and who will also understand what it offers, and does not offer, in terms of actual protection. On the whole, it seems a bit specialized to qualify as a candidate for central focus.

    What should be the focus? I’m sure you already have a list of good candidates you’re thinking about besides encryption, so I won’t give suggestions here. In general though, I’d look at features that would be of benefit to most. I’d also look at aspects of Thunderbird that are current core strengths, differentiators from other products, and raise the bar even higher. I’d also consider features that are entirely missing from Thunderbird but have perhaps become mainstream in other products.

    Best Regards,
    John Shea

  54. Cryptie wrote on :

    Absolutely YES but not because of law enforcement.

    Most of people I speak with consider mail as a letter in an envelope sent by post. They do not understand that their mail are in fact postcards by default.

    I have heard lawyers telling me they are discussing cases with their client by mail (and some time using a gmail account…), Medical Doctor who keeps in touch with patients by mail and so on.

    When I explain them what it means for the confidentiality of their discussions (i.e. that in the best case at least their mail providers have access to the content of those) they usually freak out (which is logical as in my country a breach of confidentiality in one of those profession may lead to the end of their career.).

    For all those reasons, we need easy solution of end to end encryption and Thunderbird is a good start for me. It will shows a lot of people that it exists and it is not only a thing for hard core nerd.

    But this should be well done, thinking that user are not computer but human and thus may forget their pass-phrase, lost theirs keys, and so on. So this should be done in a clever way.

    About law enforcement :
    1) I fully agree with this conf of Christopher Soghoian (ACLU) at Defcon 22 when he says that when we say “nsa/law inforcement – proof technology” peoples (esp. politician) hear “we are protecting the bad guys” not “we want to stay free” please watch this : https://www.youtube.com/watch?v=pM8e0Dbzopk
    2) They will always be able to get metadata for their investigation and will be able to get physical access to computers of bad peoples. They will just have to define their targets, as they are doing offline. And even in the Snowden context, I hope that the objective is not to prevent law enforcement to do their job, this objective is to force them to stop mass surveillance and concentrate only on the bad peoples.

  55. Max wrote on :

    Of course end-to-end transparent encryption should be a priority.

    Enough people (3,639, to be precise) cared about this last year to crowdfund $163,192 to develop MailPile as a Thunderbird competitor to do just this. See https://www.indiegogo.com/projects/mailpile-taking-e-mail-back – we need an open source alternative.

  56. Charpy wrote on :

    Thunderbird power users want this feature, the “ordinary mass” users need it (even if they don’t know) . We use plugins, but a native integration will add a lot of people, and will contribue to make everyone understand what’s happenning with our privacy in the world.

    Please add it as soon as possible.. plz!

  57. Freddy wrote on :

    I think that encryption would be a nice-to-have, but not a priority at the moment.

    What I am far more concerned about is the storage of my personal data in non-standard formats. I am referring, of course, to the Mork thing which is used for Contacts data, and which I see referred to on Mozilla’s own Wiki as “the single most braindamaged file format that I have ever seen in my nineteen year career”. This sort of thing makes Thunderbird look a bit amateur, and must be a big barrier to increased institutional acceptance. It also must make it really difficult for third parties to make synchronisation software.

    So, storing Contacts in something standard like LDIF or whatever would be my vote for a high priority.

  58. eskualakari wrote on :

    Mails’ encryption SHOULD be by defaut with any distribution of Thunderbird!
    Please make all you can to make it possible!
    Most of the people just can’t do a difference between google and internet so they can’t encrypt by themselves!
    Thanks for the work and for libre software!