Thunderbird 78.2.1 and 81.0b2 milestone

Mike Dewhirst miked at dewhirst.com.au
Mon Aug 31 02:41:56 UTC 2020


On 30/08/2020 11:24 am, Wayne Mery wrote:
>
> Thunderbird 78.2.1 and 81.0b2 are both live.
>
>   * 78.2.1 enables OpenPGP by default
>     https://www.thunderbird.net/en-US/thunderbird/78.2.1/releasenotes/
>

Bravo Wayne! Congratulations. I love it.

>   * 81.0b2 ditto, plus a few fixes
>     https://www.thunderbird.net/en-US/thunderbird/81.0beta/releasenotes/
>
> OpenPGP enabled by default is a new milestone in the evolution of
> version 78.� The UI is now visible for end-to-end (message)
> encryption, aka e2ee, in account settings.�
>
>   * Introduction
>     https://support.mozilla.org/en-US/kb/introduction-to-e2e-encryption
>

I'm really a lurker here but I feel encouraged by this announcement to
say something.

In general the concept of e2ee is good. HOWEVER it solves a non-existent
problem. Email has been insecure from day 1 and everyone knows this and
uses other mechanisms for keeping real secrets. As your article
carefully points out it is potentially dangerous to make mistakes and as
it also points out and indeed demonstrates, understanding e2ee for email
is costly in terms of brain-space and therefore new users will avoid it.

The REAL problem is phishing. The magic preventer is signed email.

No matter how carefully an attacker trawls the web for evidence with
which to impersonate a trusted correspondent they cannot sign mail from
that trusted person. Their poisoned email will be immediately revealed
as a phishing attempt provided those correspondents usually sign their
mail to each other.

This reality reveals an immediate opportunity for Thunderbird.

If I was calling the shots I would focus on email signing and forget
e2ee. Encrypted email will always have a tiny market dominated by
paranoid IT departments who probably don't know Thunderbird exists.

Signed email has a potentially huge market purely because it is a
defence against one of the most serious problems email faces today and
in the foreseeable future.

You probably can't make signed email "on" by default but you could make
it really easy to understand for non-technical people. And you could
strongly recommend it. You can't strongly recommend e2ee because it is
simply unnecessary for the vast majority.

Finally, the best strategy for achieving widespread e2ee, if that is in
fact desirable, is to introduce email signing first. That will lower the
psychological and intellectual barriers somewhat.

Have a look at my sig below.

Cheers

Mike

-- 
Signed email is an absolute defence against phishing. This email has
been signed with my private key. If you import my public key you can
automatically decrypt my signature and be sure it came from me. Just
ask and I'll send it to you. Your email software can handle signing.




>   * Ask questions at https://thunderbird.topicbox.com/groups/e2ee
>   * File bug reports at
>     https://bugzilla.mozilla.org/enter_bug.cgi?product=Mailnews%20Core&component=Security:%20OpenPGP
>
>
> _______________________________________________
> tb-planning mailing list
> tb-planning at mozilla.org
> https://mail.mozilla.org/listinfo/tb-planning

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/tb-planning/attachments/20200831/c38bae87/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mail.mozilla.org/pipermail/tb-planning/attachments/20200831/c38bae87/attachment-0001.sig>


More information about the tb-planning mailing list