Re: Thunderbird and end-to-end email encryption – should this be a priority?

Bron Gondwana brong at fastmail.fm
Wed Aug 26 20:56:38 UTC 2015


On Thu, Aug 27, 2015, at 00:40, Joshua Cranmer 🐧 wrote:
> On 8/26/2015 5:42 AM, Bron Gondwana wrote:
> > Are you still embedding a giant complex browser engine from an
> > organisation which doesn't give a shit about making sure they aren't
> > breaking your tree or removing things that you depend on, and isn't
> > making security fixes for your branches a priority?
>
> *THAT* is not low-hanging fruit.

That depends on your perspective.  If you're looking at it from a "how
much work would it be for Thunderbird to change" then of course it
isn't.  If you're looking at it from the perspective of a spook with a
millions of dollars budget who wants to snoop on a theoretical
Thunderbird-using-Snowden, then it becomes a pretty big link in
the security chain.

My underlying point is that a general purpose client like Thunderbird
which wasn't designed from scratch to be resistant to the attacks of
a nation-state will have a much larger footprint of code in which a
compromise would lead to data leaks.  The fact that a lot of that
code is coming from an upstream which is somewhere between not
actively caring and actively not caring about the downstream project
adds to the risk.

Protecting against active attacks from a well-resourced opponent is a
very different task than protecting against dragnets.  I still maintain
that the best way to protect against dragnets is to make sure that email
servers continue to be something provided by hundreds of thousands of
separate providers.

The best to protect against an active attacker is still to use something
designed from the ground up for that - like some of the instant
messaging systems.  Email is designed for longevity and immutability, and
weakening that for an appearance of security isn't something that
interests me.  Increasing the costs to security agencies without actually
keeping them out is just going to make them use more taxpayer dollars.

Bron.

-- 
  Bron Gondwana
  brong at fastmail.fm



More information about the tb-planning mailing list