Re: Thunderbird and end-to-end email encryption – should this be a priority?

Ben Bucksch ben.bucksch at beonex.com
Sat Sep 5 07:50:19 UTC 2015


R Kent James wrote on 25.08.2015 11:31:
> This is the text from a blog post today on the Thunderbird blog:
>
> See 
> https://blog.mozilla.org/thunderbird/2015/08/thunderbird-and-end-to-end-email-encryption-should-this-be-a-priority/
>
> In the last few weeks, I’ve had several interesting conversations 
> concerning email encryption. I’m also trying to develop some concept 
> of what areas Thunderbird should view as our special emphases as we 
> look forward. The question is, with our limited resources, should we 
> strive to make better support of end-to-end email encryption a vital 
> Thunderbird priority? I’d appreciate comments on that question, either 
> on this Thunderbird blog posting or the email list 
> tb-planning at mozilla.org.
>
> In one conversation, at the “Open Messaging Day” 
> <http://www.oscon.com/open-source-2015/public/schedule/detail/45257> 
> at OSCON 2015, I brought up the issue of whether, in a post-Snowden 
> world, support for end-to-end encryption was important for emerging 
> open messaging protocols such as JMAP <http://jmap.io/>. The 
> overwhelming consensus was that this is a non-issue. “Anyone who can 
> access your files using interception technology can more easily just 
> grab your computer from your house. The loss of functionality in 
> encryption (such as online search of your webmail, or loss of email 
> content if certificates are lost) will give an unacceptable user 
> experience to the vast majority of users” was the sense of the majority.
>
> In a second conversation, I was having dinner with a friend who works 
> as a lawyer for a state agency involved in white-collar crime 
> prosecution. This friend also thought the whole Snowden/NSA/metadata 
> thing had been blown out of proportion, but for a very different 
> reason. Paraphrasing my friend’s comments, “Our agency has enormous 
> powers to subpoena all kinds of records – bank statements,  emails – 
> and most organizations will silently hand them over to me without you 
> ever knowing about it. We can always get metadata from email accounts 
> and phones, e.g. e-mail addresses of people corresponded with, calls 
> made, dates and times, etc. There is */alot/* that other government 
> employees (non NSA) have access to just by asking for it, so some of 
> the outrage about the NSA’s power and specifically the lack of 
> judicial oversight is misplaced and out of proportion precisely 
> because the public is mostly ignorant about the scope of what is 
> already available to the government.”
>
> So in summary, the problem is much bigger than the average person 
> realizes, and other email vendors don’t care about it.
>
> There are several projects out there trying to make encryption a more 
> realistic option. In order to change internet communications to make 
> end-to-end encryption ubiquitous, any protocol proposal needs wide 
> adoption by key players in the email world, particularly by client 
> apps (as opposed to webmail solutions where the encryption problem is 
> virtually intractable.) As Thunderbird is currently the dominant 
> multi-platform open-source email client, we are sometimes approached 
> by people in the privacy movement to cooperate with them in making 
> email encryption simple and ubiquitous. Most recently, I’ve had some 
> interesting conversations with Volker Birk of Pretty Easy Privacy 
> <http://pep-project.org/> about working with them.
>
> Should this be a focus for Thunderbird development?
>

Yes, it should.

Take a look at Mailvenlope, a Firefox extension. 1&1 / web.de / GMX has 
used this as base for their own PGP extension, made the setup process 
very easy, found a way to recover keys somewhat securely (after changing 
the computer, reformatting, losing the computer or files, a critical 
problem for average users) and is rolling this out to 30 million users. 
The tech press had positive feedback on how it's implemented.

You might be able to steal some of the ideas and maybe even some of the 
implementation.

Ben



More information about the tb-planning mailing list