Comments on "Thunderbird and end-to-end email encryption – should this be a priority?"

Jörg Behrmann behrmann at physik.fu-berlin.de
Wed Aug 26 09:50:23 UTC 2015


I do think, that Thunderbird should make encryption a priority.

Of course, the arguments listed in the blog post are somewhat valid,
although I don't share their sentiment, and although the risk of
personal surveillance might be marginal for a single user, the point of
end-to-end encryption is rather a societal one. A wider deployment would
raise the cost of mass surveillance and would at the same time make the
use of encryption less suspicious, thus helping activists in countries
that oppress political dissidents.

The biggest problem end-to-end encryption faces is of course the
chicken-egg-problem of there not being enough users so why use it?
Thunderbird as the most-widely deployed FOSS mail client could solve
this problem.

The best solution would be to bundle Enigmail [1] with Thunderbird, as
is currently done with Lightning. This would immediately increase the
user-friendliness of GPG for all users, as signatures would be
transparently hidden and, if GPG is installed, checked. This is an
important point, since a lot of non-technical users are confused by the
"garbled mess" at the bottom of the mail that is the signature.
Of course, the installation base for GPG then becomes another problem.
On Linux systems this is a non-issue, since it is installed with
virtually every distribution, but for Windows and Mac systems a
partnership with GnuPG [2] should be taken into consideration, since it
has mature Windows implementation [3] and some project for OS X exists
as well [4].
The installation base for these tools could be increased multifold if at
least a minimal version of them for use with Thunderbird could be
bundled with Thunderbird as well.

Although Enigmail already provides a much improved user experience than
in earlier versions, it would need to be greatly improved with a lot of
choices made for unexperienced users (and hidden options for advanced
users), so that it becomes a turn-key solution. Another blocker is of
course that Thunderbird features like mail search need to work
transparently for encrypted mails as well for this to take off.

The last and possibly most important point is backup of key material.
The users should be reminded to make a backup on some USB stick. Another
step would be to have Firefox sync like features for Thunderbird, that
could save the private key in encrypted form in the cloud, if the user
wishes so. An open protocol for this, that could be implemented by
others, like OpenKeychain [5] on Android, would be the best solution for
this. This would greatly help users to access their mails on all the
different clients they use.

best regards,
Jörg Behrmann

[1] https://enigmail.net/home/index.php
[2] https://gnupg.org/
[3] http://www.gpg4win.org/
[4] https://gpgtools.org/
[5] http://www.openkeychain.org/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://mail.mozilla.org/pipermail/tb-planning/attachments/20150826/ed9e1692/attachment.sig>


More information about the tb-planning mailing list