Thunderbird and end-to-end email encryption – should this be a priority?

I’m currently using the enigmail plugin to do encryption and it works quite nice. But as you already stated, the content of encrypted messages is not included in search results (since the search uses an index and the index does not store decrypted messages – that is good!).
I would like encryption to be part of the core of thunderbird or possibilities of better integration of enigmail – when you would add a way to also search encrypted messages (decryption on-the-fly for encrypted messages, using the search index for plaintext-messages) this would be a bit step forward and a USP for this mail client. 🙂

“The overwhelming consensus was that this is a non-issue. “Anyone who can access your files using interception technology can more easily just grab your computer from your house. The loss of functionality in encryption (such as online search of your webmail, or loss of email content if certificates are lost) will give an unacceptable user experience to the vast majority of users” was the sense of the majority.”

Although this might be true, there is an enormous difference in visibility. While network owners and intruders can tap your data without you knowing, someone stealing your computer will definitely be noticed (and alarms) the owner. Therefore AFAIK transport encryption has it’s use in stopping passive mass surveillance.

“There is alot that other government employees (non NSA) have access to just by asking for it, so some of the outrage about the NSA’s power and specifically the lack of judicial oversight is misplaced and out of proportion precisely because the public is mostly ignorant about the scope of what is already available to the government.”

Interesting, still the whole point of Snowden was that things happened in secret, people were kept out of the loop and so were unaware. The fact that most are unaware of much more is only more reason to keep shining light on more secret stuff that should be vetted by the public, at least if you want to do it democratically.

Ken, I forwarded your question to our french readers : Le chiffrement de bout en bout doit-il être une priorité de Thunderbird ?. Best regards.

I think yes.

I often try to get my friend and family into all this privacy issue and I must bring an easy solution to help them using mail encryption for example. But I can’t explain them all the GPG thing because I know it’s too difficult for them, and they don’t want to bother with this.

If Thunderbird had such a built-in feature I will be pleased to use it and to spread it as mush as I can.

The argument by law enforcement for weakened encryption is invalid. It would expose my credit card numbers and tax returns (encrypted on my PC) to criminals. In the meantime, the government has proven more than once that it cannot keep its repositories of data secure.

Yes, criminals, terrorists, and foreign agents might use encryption to communicate among themselves. They also use money. Are we to impair the flow of money in our economy for everyone because of some miscreants? They eat, but we surely are not going to restrict the general distribution of food.

As a retired computer software test engineer — with over 30 years experience working with highly classified systems used to operate space satellites for the U.S. military — I know that the use of any weakness introduced into encryption methods cannot be restricted only to law-enforcement. Either encryption will be weak for everyone, or else it will be strong for everyone.

Thunderbird should support OpenPGP, either internally or via external applications. However, see bugs #22687, #285715, #363302, and #415083.

https://bugzilla.mozilla.org/show_bug.cgi?id=22687
https://bugzilla.mozilla.org/show_bug.cgi?id=285715
https://bugzilla.mozilla.org/show_bug.cgi?id=363302
https://bugzilla.mozilla.org/show_bug.cgi?id=415083

For what i see for now, Enigmail seems to provide a good (not perfect) solution on the matter and can be used as well with webmail. The good solution would be maybe include it within Thunderbird on download and add a few options/explanations on how to use it.
On the other hand, the bug on Lightning freezing thunderbird [since years !] with distant calendars seems a lot more critical to solve (but it seems there’s a change … today :p)

As Facebook allows adding a personal OpenPGP public key to profile settings and thus encrypt notification emails sent (experimental feature rolled out in June 2015) I think Thunderbird should have OpenPGP feature build-in (Enigmail is a first candidate). FB move could be a milestone in encrypting email messages and potentially every big player can allow for this in the future. Hope so…
Read the story at: http://arstechnica.com/security/2015/06/facebook-users-can-now-add-openpgp-keys-for-improved-email-security/
BTW: I hope new Firefox add-on policy will not kill all Thunderbird extensions quite soon.

This should absolutely be a priority. To be honest, I have a hard time to understand why “anyone who can access your files using interception technology can more easily just grab your computer from your house”. First, siphoning data off a provider seems to be much easier than going to individual homes and grabbing hardware (and, in fact, we have plenty of evidence that the former happens and the latter doesn’t happen on any large scale). Second, as other commenters noted, breaking into homes is hard to do without anyone noticing while it’s incredibly easy at the provider. The whole Snowden debate teaches us the opposite lesson of that claim.

As far as practical considerations go, there are two low-hanging fruit:

1) Integrating Enigmail by default. Look at what the German providers Web.de/GMX have done in terms of onboarding
2) Integrate OTR encryption into Thunderbird Chat. This is almost done (https://bugzilla.mozilla.org/show_bug.cgi?id=954310) and there is a sizable bounty (https://www.bountysource.com/issues/5925617-add-support-for-otr-and-encrypted-chats)

As for the longterm view, collaborate with other people in the OpenPGP community on things like Secure Key Sync to improve the user experience of PGP users (https://blog.whiteout.io/2015/07/06/standardizing-secure-pgp-private-key-sync/)

Yes, this should be definetally the main focus of the future Thunderbird development!

End to End encryption ist a feature that will only work with a real email-Client. Have a look what TextSecure from Moxie Marlinspike and friends made for short messages. An easy to use, but highly secure communcation system, that even my girlfriend like to use. This is what Thunderbird should be for email.

I would never trust Webmail systems, because I don’t know where the software comes from. Even if the encrypt End2End using Javascript in my Webbrowser, I can’t verify that this software is not modified by an attacker. With a fat client like Thunderbird, I can download the binaries and can verfiy by checksum that it’s a binary that a trustful organization audited.

“just grab your computer from your house” Point to point encryption aside, it was that which worries me the most, burglary or otherwise. I have for as long as TBird has been around been wanting the option to enable a password to open the app and for encryption of the local mail folders. The lack of these is why I run Haller’s PortableApps version from a dedicated VeraCrypt (previously TruCrypt) container.

I think both conversations bring up flawed arguments.

Regarding the former, intelligence agencies of governments wiretap on a truly massive scale, essentially wiretapping everybody collectively. The structure of the Internet made this easy. Comparing this with raiding your home completely misses the point, since raiding homes is clearly not something that can be done on such a massive scale. If we use encryption technology to combat the massive nature of surveillance, we force intelligence agencies to focus on specific targets again, which would be a major privacy benefit for the general public.

Regarding the latter, research tends to indicate the problem is not that people don’t care about privacy, but don’t know how to protect their privacy. They don’t accept all the flawed privacy policies on the Internet because they like them, but because they perceive no alternative. Petitions calling for NSA reforms will likely have many signatories who would like to use e-mail encryption but don’t because it’s to difficult to set up and operate, just like many opponents of Facebook’s privacy policy keep using Facebook because not only having privacy but also having a social life is important.

So to answer your question, YES, Thunderbird should invest in making encryption easier and more ubiquitous, preferably even the default where possible. You will provide many people an option of privacy which was previously non-existent to them. Make it as easy as HTTPS Everywhere and enable it by default.

Even as a computer scientist, I have NEVER sent or received a PGP-encrypted e-mail for non-testing reasons in the last ~7 years, although me and many of my contacts have PGP keys. The reason is quite simple: If I lose my key, I cannot read the mail any more, and (at the moment) I consider the probability of losing my private key a lot higher than that of being interesting for the NSA and friends so they would access mail at my provider. Moreover, there are even more reasons such as not being able to search the content of encrypted mail. For daily use, I find it more important to use a mail provider that I can trust and that uses a secure and verified server-to-server encryption for delivering my mail (this has, in the last months and years, become the case for probably all larger mail providers in Germany as a consequence of Snowden leaks). Living in Germany, if the police or an intelligence agency is allowed to read my email directly at my provider’s server, they could (regarding laws) probably also just enter my home and take my computer with them.

Nevertheless, I find it important that, if I really want to, I can encrypt my mails end-to-end. But that is already the case using the Enigmail plugin, and even some web mailers of my providers have PGP-support (probably additionally requiring a browser-plugin) integrated now. Shipping Enigmail by default may, of course, be a good way to improve the out-of-the-box features.

Regarding Thunderbird development, I would find features such as support for CardDAV as backend for my contacts or (as a “smaller” example) being able to use the RSS reader with self-signed etc. certificates (you cannot use a (https) feed at all at the moment if Thunderbird does not trust its certificate by default) much more important than another PGP implementation than that provided by Enigmail.

I would say yes, end-to-end encryption should be a priority for Thunderbird. ‘Trust’ is an important aspect of email, but unfortunately not everyone is able to understand the dynamics of PGP so easily. Providing strong crypto with a great deal of usability should be heralded, so I therefore support any effort by Mozilla to make end-to-end crypto a priority in Thunderbird. Mozilla has been taking some great steps in promoting privacy, I think this would be another bold move forward.

It’ a great idea \o/

I think Thunderbird should go in two directions:
* use end to end encryption and give a better privacy for their user. Of course, this must be interoperability end-to-end, not specifically for Thnderbird’s users.
* show the level of the encryption when they use email. It’s the goal of the projet CaliOpen, if i’m good understand (https://caliopen.org/)

I explain, the second point. For a lot of users, Internet, email, computer is like magic and a geek who could use it and hack it are a rock star. By consequent, a lot of them think the mail is a secure communication, from field say always the thrust.

I think Thunderbird should show the level of the confidentiality of the email:
* your SMTP use or not TLS between Thunderbird and him
* your SMTP don’t allow other SMTP to connect to him with TLS ( google push to it show the bad SMTP: https://www.google.com/transparencyreport/saferemail/ )
* your SMTP keep your local IP in email header
* Thunderbird is configured to allow picture in html email
* Your mail provider don’t use DKIM or SPF
* your mail provider allows a connexion without login/password
etc …

No. Like it or not, encryption is a niche feature and, given the available resources, well suited to being implemented by an extension. If extensions need additional APIs etc then these should be added.

Encryption will only become mainstream if someone with more marketshare than Thunderbird finds a way to enable it by default. That’s going to need some form of web service to transparently handle creating, storing and sharing keys. I can see how a webmail service could implement that, but I can’t see how client software can overcome the usability issues.

not that I wouldn’t like encryption, but stop trying to fix a flawed protocol.

email wasn’t designed with privacy in mind.
PGP & GPG wont solve this issue.

and we still have the metadata problem

Yes! Please!

I would definitely appreciate included end-to-end encryption in Thunderbird. And it’s the only feature I’m really missing, which is why I use enigmail.

On the one hand I know lots of people (friends, family, colleagues, even some of my pupils) who would like to use encryption but don’t get an addon like enigmail up and running on their own. On the other hand there are lots of people who are just not aware of email not being as private as they think: “Nobody cares for my emails.” Which is for most people true on an individual, analogue basis, i.e. nobody would pay a private detective or a burglar stealing the hardware in order to get the information. But automated surveillance is a totally different matter, since it’s easily done for the big companies and agencies. Those people would at least have a reason to rethink if email-clients would offer encryption by default.

Nevertheless storing the private key safely is a problem, doing a backup has to be mandatory, since loosing the key is simply not an option. Storing the emails encrypted and therefore not indexing them is definitely the safest way. But I think it would be nice to have the option of storing the email locally unencrypted. Sure, that does not help against the burglar and neither against local viruses and the like. And while the latter is a problem because of the high percentages of infected computers, the former is the “normal analogue way”: When receiving an important letter in an envelope, normally people just put it into a folder in the shelf without rewrapping it and without using a safe, which also does not help against thieves.

> The overwhelming consensus was that this is a non-issue. “Anyone who can access your files using interception technology can more easily just grab your computer from your house. …”

This is incorrect in many ways, and a much bigger concern is that it reflects a dangerous lack of understanding about security. Not everyone can be a security expert, but Thunderbird needs someone who possesses expertise and sophisticated skills in this area to help with these decisions.

1) For attackers who have the capability to enter your home, almost always governments, clearly it’s still easier to collect data remotely. Not only do they save the resources of sending skilled personnel to your location, remotely they can collect your data as part of bulk surveillance.

2) The existance of a workaround for the attacker (e.g., if data is encrypted on the wire, go to the user’s home) doesn’t negate the value of security. There is no perfect security; all security can do is raise the cost for the attacker. I think encrypted email greatly increases the marginal cost of collecting your data when it goes from from near-zero (either you’re already part of bulk surveillance, or simply adding your address to a whitelist of addresses to monitor) to the cost of sending personnel to your home, removing your computer, and doing forensic analysis on it.

3) For the great majority of users, governments are a relatively small threat. The biggest threats to privacy, by far, come from businesses, such as ISPs, vendors of other software on their devices, and email providers, and from malware.

4) The attackers listed in #3 will never enter the user’s home and physically access their computer. What many will do, including ISPs, is read the emails on the wire and on hosted mail servers.

Yes, I think it would be an important feature. But which encryption algorythm is really the best choice, the most secure ?

A native PGP should be wonderful !!!

How about a close collaboration with Dark Mail (DIME) ?
I know some Thunderbird developpers already got some contacts with them. Last time I checked, the specifications about their new protocols were almost finalized but for some reason, they had to made a fock of Thunderbird called Vulcano (that isn’t publicly available yet) for implementing their new protocols.

I find this a bit sad that there is no closer collaboration because I think these people know what they are doing and honestly POP, IMAP and SMTP are outdated protocols, and we all know that PGP (already available with Enigamil BTW) doesn’t solve all the issues (although it clearly better than nothing).

Working together could be a win-win: for them to have less work on the development of the client and to beneficiate from the experience of the Thunderbird developpers and for Thunderbird that could be the very first client that supports these protocols: free marketing as lot of media would speak of this, new users who would install and use thunderbird, and it’s in line with the objectives of the Mozilla fundation, isn’t it?

+1 excellent idea. Provide GnuPG email as a standard (in full transparency: thunderbird public server that hosts public keys database; we put our private key once when starting a thunderbird session and then enjoy ^^)

YES, YES, YES, native GPG/PGP would be super great!

Yes! Thank you.

Yes, it would be greatly appreciated!!

Encrypting in Thunderbird? Yes, yes, yes. Thank you

Yes, I think that should be a priority, it will bring encrypt emails to non-technical users. So the technical users can communicate with them via encrypted messages.
I am using Enigmail and ProtonMail, but most of my mail isn’t encrypted. If I encrypt all my mail, I will communicate with less than 10% of my contacts ….

Please help solving the chicken/egg problem and spread e2e encryption.

YES. Mozilla already supports Tor and other privacy initiatives. This would be fantastic to have an end-to-end encrypted, user-friendly email client. The first of its kind, as far as I know.

Yes. Native support will be better.

I consider transport security to be the most imporant aspect. I would like every part of the email encrypted, subject, content, headers and even recipients if possible.

Encrypted storage is definitely not a priority, the OS does that very well already.

Yes!

A native solution that just works and one is vetted by Mozilla would be spectacular. Not just for those who know they need it, but for the users that should, but don’t.

related discussion on HN: https://news.ycombinator.com/item?id=10122242

I like Pfalzgraf’s comment: “To make encryption more ubiquitous, I would prioritize making the experience of using encryption no different from not using encryption”.

I am currently quite pleased with the inbuilt S/MIME signing and encryption capabilities of Thunderbird using certificates and key pairs stored in PKCS11 hardware and software containers. Likewise its support of IMAP over TLS and opportunistic SMTP over TLS.

I am uncertain whether GPG/PGP would be any easier, or prove more conducive to ubiquitous use.

Well, of course, why ask? Just make it real simple to use. Thanks.

Yes to integrated OpenPGP or Enigmail!
The searching through encrypted messages could be fixed by providing on-the-fly encryption/decryption of the entire message base, like The Bat! Professional does.

yes. Privacy is important and making it out-of the box experience will be useful for “average” users!

Please implement end-to-end encryption. As an email user this is one of the most important issues for me. I work for a company that uses Patient History Information governed by HIPAA, and this functionality would allow me to argue that we should move away from MS Office and towards open source tools like Thunderbird. Personally, I want to make it as hard for invasive/fascist/megalomaniacal governments and ‘hackers’ to easily obtain my financial and other personal data that flows through email.

Thank you Thunderbird team.

I think it should be a priority. The main reason is email sits around for a long time in many different places. If the webmail provider or an ISP or some level of government wants to look at my email, they should need to conduct an active attack. I don’t want anyone being able to to search through years of my old emails.

I can still find my own emails by sender, recipient, and time, as well as stars and folders.

Just because there are other avenues for authorities to gain information shouldn’t negate the fact that we can tighten up our own domain. If, at some point in the hopeful future, we manage to legislate and close these legal loopholes that allows access to metadata through process, agencies WILL revert to the next best thing. If that is intercepting traffic, then that’s what they will do. All avenues of exposure need to be tackled.

What I’d like to see in Thunderbird.

* Transparent and built in PGP setup as part of the wizard.
* Enabling AT LEAST signing by default
* Encrypting by default if the recipient is known to have a PGP facility.

Yes! Please support GPG! It would be super great

Yes! End-to-end encryption is perhaps the only hope for any sort of privacy. End-to-end might even mean email client to email client (with no SMTP server exposing meta data) … via WebSockets, WebRTC, or whatever. Simple and transparent integration with The Onion Router (TOR) might help as well.

Besides just doing the right thing (to limit mass, automated, warrantless surveillance of everything on the internet), privacy protections might strongly differentiate Thunderbird. Even if such privacy protecting features were ‘optional’, the availability of such ‘open-source’ (and thus vettable) privacy features might make Thunderbird the first/best messaging client/app/platform.

Yes. It would be nice to have close connection with PGP.

Thunderbird has X.509 PKI and S/MIME support for ages and I am using it occasionally, where is it lacking? PGP is children’s toy.

Yes, please ! We need big e-mail clients to start supporting encryption so that it becomes mainstream!

I think it is vital that Thunderbird have the APIs necessary for *extensions* to implement *different types of* end-to-end encryption. I also think it is vital that Thunderbird users not be restricted to using only those extensions which are signed/approved by Mozilla. Together, those will assure that users have the flexibility they need to choose which ever approach works best for them.

I think it would be helpful if Thunderbird supported some form of end-to-end encryption out of the box. Something as simple as symmetric encryption using a passphrase that you manually enter when necessary, or that you assign to a recipient/sender via address book field, would be sufficient for many uses. I *think* it would be easy to implement as well. Thus making it a viable option even in a limited resources context.

Open GPG or Dark Mail please

Yes, OpenPGP integration to make Thunderbird a safe communication tool.

Yes ! End-to-end encryption would be one step further to Mozilla for spread the importance of privacy and encryption. By making it ergonomic and integrated, it would be more easy for average users to use it or discover it.

End-to-end encryption is an essential property of free digital communication.
given that gpg is the most commonly used somewhat reliable tool we have to do end-to-end enc. in email, thunderbird should provide the most usable and secure interface possible for it.
but ultimately the architecture of trust in pgp (until it supports tofu, which W. Koch is apparently planning), makes it hard to use securely. because of that, it would be valubale to also look at alternative solutions like textsecure and pond and see how they could be facilitated by thunderbird (or, probably better, a fresh environment mozilla might help to develop).

Kent,

First and foremost, thank you for your continued work in support of Thunderbird. For my needs, this is the best desktop email client available on any platform, and by a wide margin. That this has been the case for so many years, it says a lot about the quality and care that goes into this product. My gratitude goes out to you and the team.

Regarding focus and priority, I don’t feel that end-to-end encryption is it. I’m sure it’s a feature that is of interest to some, but I can’t see it as a top priority. Even among those interested, there are problems. It’s typically difficult to set up for those who are non-technical and just want it to work. And for the same audience, there’s a bit of a false-promise of security for reasons you mention in your post. So, even among the subset of users who would be interested, it’s an even smaller subset who won’t be scared off by the configuration and who will also understand what it offers, and does not offer, in terms of actual protection. On the whole, it seems a bit specialized to qualify as a candidate for central focus.

What should be the focus? I’m sure you already have a list of good candidates you’re thinking about besides encryption, so I won’t give suggestions here. In general though, I’d look at features that would be of benefit to most. I’d also look at aspects of Thunderbird that are current core strengths, differentiators from other products, and raise the bar even higher. I’d also consider features that are entirely missing from Thunderbird but have perhaps become mainstream in other products.

Best Regards,
John Shea

Absolutely YES but not because of law enforcement.

Most of people I speak with consider mail as a letter in an envelope sent by post. They do not understand that their mail are in fact postcards by default.

I have heard lawyers telling me they are discussing cases with their client by mail (and some time using a gmail account…), Medical Doctor who keeps in touch with patients by mail and so on.

When I explain them what it means for the confidentiality of their discussions (i.e. that in the best case at least their mail providers have access to the content of those) they usually freak out (which is logical as in my country a breach of confidentiality in one of those profession may lead to the end of their career.).

For all those reasons, we need easy solution of end to end encryption and Thunderbird is a good start for me. It will shows a lot of people that it exists and it is not only a thing for hard core nerd.

But this should be well done, thinking that user are not computer but human and thus may forget their pass-phrase, lost theirs keys, and so on. So this should be done in a clever way.

About law enforcement :
1) I fully agree with this conf of Christopher Soghoian (ACLU) at Defcon 22 when he says that when we say “nsa/law inforcement – proof technology” peoples (esp. politician) hear “we are protecting the bad guys” not “we want to stay free” please watch this : https://www.youtube.com/watch?v=pM8e0Dbzopk
2) They will always be able to get metadata for their investigation and will be able to get physical access to computers of bad peoples. They will just have to define their targets, as they are doing offline. And even in the Snowden context, I hope that the objective is not to prevent law enforcement to do their job, this objective is to force them to stop mass surveillance and concentrate only on the bad peoples.

Of course end-to-end transparent encryption should be a priority.

Enough people (3,639, to be precise) cared about this last year to crowdfund $163,192 to develop MailPile as a Thunderbird competitor to do just this. See https://www.indiegogo.com/projects/mailpile-taking-e-mail-back – we need an open source alternative.

Thunderbird power users want this feature, the “ordinary mass” users need it (even if they don’t know) . We use plugins, but a native integration will add a lot of people, and will contribue to make everyone understand what’s happenning with our privacy in the world.

Please add it as soon as possible.. plz!

I think that encryption would be a nice-to-have, but not a priority at the moment.

What I am far more concerned about is the storage of my personal data in non-standard formats. I am referring, of course, to the Mork thing which is used for Contacts data, and which I see referred to on Mozilla’s own Wiki as “the single most braindamaged file format that I have ever seen in my nineteen year career”. This sort of thing makes Thunderbird look a bit amateur, and must be a big barrier to increased institutional acceptance. It also must make it really difficult for third parties to make synchronisation software.

So, storing Contacts in something standard like LDIF or whatever would be my vote for a high priority.

Mails’ encryption SHOULD be by defaut with any distribution of Thunderbird!
Please make all you can to make it possible!
Most of the people just can’t do a difference between google and internet so they can’t encrypt by themselves!
Thanks for the work and for libre software!