Re: Thunderbird and end-to-end email encryption – should this be a priority?

Bron Gondwana brong at
Wed Aug 26 10:42:49 UTC 2015

On Tue, Aug 25, 2015, at 19:31, R Kent James wrote:
> In one conversation, at the “Open
        Messaging Day”[1] at OSCON 2015, I brought up the issue of
        whether, in a post-Snowden world, support for end-to-end
        encryption was important for emerging open messaging protocols
        such as JMAP[2]. The overwhelming consensus was that this is a
        non-issue. “Anyone who can access your files using interception
        technology can more easily just grab your computer from your
        house. The loss of functionality in encryption (such as online
        search of your webmail, or loss of email content if certificates
        are lost) will give an unacceptable user experience to the vast
        majority of users” was the sense of the majority.

As a lead "voice" on this, I'd like to expand a bit on what I said about
it, and also address the next point.

> In a second conversation, I was having dinner with a friend who
      works as a lawyer for a state agency involved in white-collar
      crime prosecution. This friend also thought the whole
      Snowden/NSA/metadata thing had been blown out of proportion, but
      for a very different reason. Paraphrasing my friend’s comments,
      “Our agency has enormous powers to subpoena all kinds of records –
      bank statements,  emails – and most organizations will silently
      hand them over to me without you ever knowing about it. We can
      always get metadata from email accounts and phones, e.g. e-mail
      addresses of people corresponded with, calls made, dates and
      times, etc. There is **alot** that other government employees (non
      NSA) have access to just by asking for it, so some of the outrage
      about the NSA’s power and specifically the lack of judicial
      oversight is misplaced and out of proportion precisely because the
      public is mostly ignorant about the scope of what is already
      available to the government.”

> So in summary, the problem is much bigger than the average person
      realizes, and other email vendors don’t care about it.

That on the other hand, is a mis-characterisation of at least the email
vendor that I represent.

Basically you have two choices - make it really absolutely impossible to
get at any content of any emails, with all the associated inability to
pretty much support ANYTHING.  Seriously, I've debugged issues where
emails were undeliverable if the user had a sieve rule with a regex
match in it, and the email size was an exact multiple of 4096 bytes -
because it was using in an mmap with slop, and if the mmap size matched
exactly, a string read would run off the end of the mapped area.

You can do what StartMail do:

Which sounds awesome, except that every time you log in or hold an IMAP
connection open (we have tons of customers who hold connections open
all the time) then all your data gets decrypted.  An NSA or similar
attacker will get access at that point if they have compromised the
server provider.

MOST people access their email every day.  I did some stats to check -
over half our users have logged in within the past 24 hours.  So it
doesn't take long to insert the attack at the vendor end and get access
to the data.

Which means that all their crypto is a bunch of expensive security
theatre.  We do it too, except at the full disk level - for a couple of
reasons.  One is the "if someone came and took all our servers, they
wouldn't be able to read anything" - it's an unlikely risk, but a nasty
one.  The real win is that we can ship failed disks back for RMA without
worrying about leaking data.  That's a big win overall, because those
things aren't cheap, and shredding them isn't cheap either.  So we
encrypt all our disks just so that we don't have to shred them.

The incentives just aren't aligned for a real "secure" server.  If your
attacker has millions of dollars budget, and you're being paid
$60/year/user, they'll find a way in.  StartMail is compromisable if
you can co-opt the Dutch Government, or even just blackmail one of
their staff.

(if you can control two of their senior staff, you can get at every
account via the key recovery mechanism - you need one of those, or you
lose everything when you forget your password - and people forget their

So we have a choice between an infeasably complex perfect world, or a
bunch of pointless theatre.  I love the theatre as much as the next guy,
but not while I'm trying to work on real security.

Your only choice is to either have full end-to-end encryption (which is
really Thunderbird's world - and the only way that it would influence
JMAP at all is that you would cut down some of its capabilities that
don't make sense if you can't access message metadata on the server, and
treat it as a dumb blob transport).

Or you can find a provider that you trust - in a jurisdiction that you
feel comfortable with.  We at FastMail do provide data to the Australian
Federal Police upon presentation of the appropriate warrant (and want to
- I believe in the rule of law, and courts, and the whole system.  I
prefer it to the alternative of total lawlessness, and I don't want to
place myself above the courts either)

But what we ARE trying to do with JMAP is counter the rise of
proprietary protocols, and the associated consolidation of email into
just a few big providers - because that makes dragnetting significantly
more simple, and doesn't allow users a good ability to choose between
giving up their privacy or not playing at all.

We're also putting significant development effort into the Cyrus server,
with a goal of making it easier to run your own server.

> Should this be a focus for Thunderbird development?

That is outside my scope as a server side and vendor advocate :)  I do
quite like the look of some of the stuff the Matrix guys are doing for
instant messaging.  Perhaps integrating that with Thunderbird and
talking to them about an email/MIME transport for matrix messages would
be an interesting project.

Meanwhile, low hanging fruit... does Thunderbird ever send passwords in
plaintext over the wire without you doing an arcane dance in
about:config somewhere?

Will it connect to servers with self-signed certificates without you
doing a similar dance?

Are you still embedding a giant complex browser engine from an
organisation which doesn't give a shit about making sure they aren't
breaking your tree or removing things that you depend on, and isn't
making security fixes for your branches a priority?


  Bron Gondwana
  brong at


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the tb-planning mailing list