90 Barriers to Encrypted Email
jb at mozilla.com
Tue Sep 2 13:28:24 UTC 2014
Thank you for you note and thoughts. I am cc'ing the Thunderbird
community mailing list for possible follow-up.
On 01/09/2014 01:59, Dave Jarvis wrote:
> Some of my friends' comments when asked if they'd use encrypted email:
> "I would if there were a significant benefit. The biggest problem is
> that of critical mass: why bother setting up encrypted email if nobody
> else encrypts their email (or even knows how to decrypt it)?"
> "Some of my friends suggested that the disadvantages outweighed the
> advantages. But I'd definitely support efforts to make encryption in
> email standard or merely more common. The challenge as usual is
> backwards compatibility in dealing with a mix of people who do and don't
> use encryption--especially with the danger of known plaintext attacks if
> someone frequently messes up and replies to an encrypted email in
> plaintext with the whole decrypted message quoted in plaintext."
> "I would with friends who also did."
> Thinking I could convince more of my friends to use encrypted email, I
> documented the steps to send an encrypted email, from start to finish:
> The steps tally around 90 (many installation wizard steps were omitted).
> Each step is a barrier to success. The remainder of this email outlines
> a possible flow that would greatly simplify exchanging encrypted emails
> for first-time users.
> THUNDERBIRD w/ENCRYPTION INSTALLATION
> If Mozilla or Enigmail is unable/unwilling to provide this, then perhaps
> it is something the Tor folks could tackle?
> 1. Download Thunderbird.
> 2. Click the Thunderbird Setup executable.
> 3. Click Run.
> 4. *NEW* "Enable confidential emails" is checked by default.
> 5. *NEW* "Run Thunderbird after installing" is checked by default.
> 6. *NEW* "I have an existing email address" is checked by default.
> 7. *NEW* Click "Install" (note: not "Next, Next, Next, Next, Next, Next,
> ad nauseam, Install, Finish").
> At this point, the following events happen without user intervention:
> - The software installs Thunderbird, GPG (bundled), and Enigmail.
> - The installer exits.
> - Thunderbird starts.
> THUNDERBIRD CONFIGURATION
> Since "I have an email address" was checked:
> 1. Type in Name.
> 2. Type in Email address.
> 3. Type in password.
> 4. Click Continue.
> At this point, for known mail servers (such as GMail, Hotmail, Yahoo
> Mail, etc.), the default IMAP and POP3 settings are tested and accepted
> automatically. (This could even be attempted for unknown MX servers.)
> The user needn't confirm the settings unless something went awry.
> *NEW* Thunderbird automatically:
> - Downloads Inbox contents.
> - Imports email address contacts (this is needed later).
> ENIGMAIL CONFIGURATION
> Since "Enable confidential emails" was checked, the Enigmail wizard appears.
> 1. *NEW* "I need a secret key" is checked by default.
> 2. User is prompted to write down a secret Passphrase on a piece of
> paper (16+ characters, numbers, symbols).
> 3. Type in the Passphrase.
> 4. Type in confirmation Passphrase.
> 5. Click Continue.
> At this point, the system:
> - Notifies user to wait several minutes, and not to exit the
> application. (Does not state anything about a randomness pool: people
> don't care.)
> - *NEW* Moves the progress towards completion (never remains fixed for
> more than a tenth of a second, no matter what).
> - *NEW* Automatically replenishes the pool using intermittent I/O, and
> random network pings (e.g., to random.org, google.com, their MX server,
> and a few others). No need to ask the user to do this...
> - *NEW* Certificate is automatically generated and saved to the Desktop.
> PUBLIC KEYS
> *NEW* The Enigmail wizard continues:
> 1. *NEW* "Upload public key" is checked.
> 2. *NEW* The Keyserver "pgp.mit.edu" is selected.
> 3. Click Finish.
> *NEW* In the background, Enigmail searches and downloads all public keys
> in the user's contact list using the collected email addresses.
> Alternatively, Enigmail does this one at a time when sending emails, if
> the public key was not already retrieved (to prevent swamping the
> This means that all public keys should be listed in the Enigmail Key
> Management tool. Currently, if I sent a message to a friend, then looked
> at the managed keys, the key is not listed. There is no (obvious) way to
> verify that their public key was used to encrypt the message. If the key
> was automatically downloaded, used for encryption, and added to the
> managed keys, then I could confirm that the key was used (or at least
> SENDING EMAIL
> When I send an email that can be encrypted with the recipient's public
> key, a little lock icon should appear next to their email address.
> Hovering over the lock icon should reveal a tooltip. The tooltip should
> let me know that their public key is being used to encrypt the message.
> In this fashion, I can write a message to several people and know who
> will receive an encrypted copy and who will not (e.g., Jb Piacentino and
> Paul Syverson). It also let's me verify what public key is being used.
> Lastly, it would relieve the necessity of prompting to confirm public
> keys being matched to the number of recipients.
> FINAL NOTES
> This reduces the number of steps from ~90 to ~13 for first time users,
> thereby nearly passing the "grandmother test". Users can configure
> Thunderbird and Enigmail afterwards should default settings be insufficient.
> IMHO, email encryption remains well beyond average user capability.
> Significantly reducing the number of steps by bundling the major
> software components should greatly increase (mainstream) adoption.
> CC: GPG and Tor developer leads.
More information about the tb-planning