Closed Bug 135636 Opened 23 years ago Closed 2 years ago

Automatically enable or disable end-to-end encryption (OpenPGP or S/MIME) if it's possible based on existing user and recipient configuration.

Categories

(MailNews Core :: Security: S/MIME, enhancement, P2)

enhancement

Tracking

(Not tracked)

RESOLVED FIXED
113 Branch

People

(Reporter: 2009-bugzilla, Assigned: KaiE)

References

(Blocks 3 open bugs, Regressed 1 open bug, )

Details

(Whiteboard: [kerh-eha] [GS] Summary of what was done: See comment #239)

Attachments

(5 files, 3 obsolete files)

Right now I only have two options is MailNews Account Manager / Security / Encryption : o Never encrypt messages o Require message encryption As far as I can remember, Netscape 4.x offered "Encrypt by default" - which allowed you to send mail to users who don't have S/MIME-keys after dismissing an alert. In Mozilla you currently have to select "Never Encrypt" in the preferences and disable encryption every time you want to send a mail manually (and hopefully don't forget to enable) - or select "Require Encryption" which requires you to manually disable (after an alert) encryption to send a mail. I think there should be a third option "Encrypt when possible", which does not require the user to enable and disable encryption manually. I don't know to what extend the backend is capable of doing so, and didn't find a duplicate bug. Since I don't think of this as an enhancement, severity has been set to normal.
Attached image Account Manager Screenshot (deleted) —
QA Contact: nbaca → junruh
*** This bug has been marked as a duplicate of 117763 ***
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → DUPLICATE
Verified. Actually a dupe of bug 129100
Status: RESOLVED → VERIFIED
It seems like there are preparations for this, but no implementation yet. And no bug dealing with this issue specifically. http://bugzilla.mozilla.org/show_bug.cgi?id=117763#c10 : ------- Kai Engert 2002-04-23 12:54 ------- > Kai, is there an open bug for the 'if possible' option now ? Not sure, if you can't find one under PSM/S/Mime, feel free to file one, but please mark it as "request for enhancement".
Severity: normal → enhancement
Status: VERIFIED → REOPENED
Component: Account Manager → S/MIME
Product: MailNews → PSM
Hardware: PC → All
Resolution: DUPLICATE → ---
Summary: Need "Encryption when possible" option → Implement "Encryption when possible" option
Version: other → unspecified
Reassigning and adding Kai
Assignee: racham → ssaux
Status: REOPENED → NEW
QA Contact: junruh → carosendahl
Keywords: regression
Summary: Implement "Encryption when possible" option → [UE] Implement "Encryption when possible" option
Blocks: 74157
I'd like to add that I think this would be a great feature. For me, it makes the security/crypto stuff almost unusable...
Altering - actually not an enhancement, but a regression from NS4.79
Severity: enhancement → normal
Priority: -- → P3
Version: unspecified → 2.3
I was asking Charles privately why he thinks it is a regression. He pointed me to the wording in Communicator, which indeed says "encrypt if possible" in the default configuration. However, the option in an individual message is simply called "encrypt". I don't want to start a discussion on whether it is indeed a regression or not, but note the following: Communicator *only* had the "if possible" default option. If encryption is not possible, it *always* bothers the user with an allowance question. Mozilla currently has a require option. What we want for the "Mozilla when possible" behaviour is: - if possible, send encrypted - do never show a warning, just send in the plain, if encryption is not possible. It was said, the warning is bothering and should be avoid. If a user is picky about using encryption, he would configure the application to require encryption. "When possible" is for users who don't care. In that sense, because the plan is that Mozilla will use a completely different behaviour than Communicator, in my opinion this is not a regression.
Not to task the devs too much on this; getting the above described behavior would be excellent, but I think if its convenient while you are futzing with it, there should be an option for warning that you are sending without encryption, similar to the way it works for web services. The warning can be disabled or not. If this is a major pain in the butt, forget about it, but I think it would make sense to do this, because its the same behaviour/UI seen on the browser side.
I think we are making progress. The way that I see it, (in my current role as user champion :) Under Configurable persistent preferences, there are two primary areas: 1. Mail 2. News Under News Accounts (tbd), we have: 1. Sign news messages by default - Boolean. Either you do or you don't. 2. Encryption is not an option and is therefore ommitted from news account settings. Under Mail, we have: 1. Sign mail by default - Boolean. Either you do or you don't. 2. Encryption - Tertiary. Never, When Possible, and Required. 2a. Never: This is the default. Users who don't care leave it as is. 2b. When Possible: This option attempts to encrypt to all recipients in the list, but should it find one or more without certificates, a prompt will notify the user that the message cannot be sent encrypted. The user has the option of sending it unencrypted, or cancelling out to correct the situation. Additionally, a 'don't show me this warning anymore' checkbox exists to turn off the warning should the user choose to send unencrypted anyway. the warning may be toggled from the preferences panel that contains all of the other warnings related to SSL, etc., etc. if the user wishes to see it again. 2c. Required: This option requires that all recipients have a certificate available for sending to succeed. Should a recipient cert be unavailable for one or more recipients, an error message (a la 4.79) indicates to the user that they should check the security info to find out which users are missing certs. In the info panel (a la 4.79) the sender may then mulitple select any or all users missing certs and attempt to retrieve them from one or more directory services. After obtaining as many certs as possible, the sender may then omit the other recipients and continue to encrypt the message. ==== Both options 2b and 2c turn encryption on by default. The only difference between 2b and 2c is the fact that the user can continue to send unencrypted and/or turn off the warning in the process. In both 2b and 2c the user can cancel out and go to the security info box to retrieve as many certificates as possible if encryption is really desired. FYI - Current code does not yet support cert retrieval from external services or signed news messages yet. By and large, this is a correct view of OE's and 4.79's current behavior. It is this behavior that existing users will expect, and new users will appreciate.
Actually the design for when possible is not what you described. The design is detailed in http://www.mozilla.org/mailnews/specs/security/ and calls for the Send button and the Security Icon to display whether the mail can be encrypted when the "If possible" option is chosen. If it's not possible, the send icon shows a broken lock, and the security Icon shows a torn certificate. The use can send without a warning, it's just sent non-encrypted. Because the send button gives plenty of feedback it was deemed acceptable. The if possible then has the following semantics: If you can send encrypted send it. I don't generally write security sensitive stuff, but if possible encrypt anyway. If I'm sure that I want to encrypt, I'll change the setting for that message only using the security button.
And I agree with Kai that this is not a regression. The S/mime model is significantly different in both clients that it's not meaningfull, in this case, to talk about regression. I'll add to that we can't add the if possible option until we have made a commitment to implement the full UI spec.
I agree that we need to implement the UI as suggested before we can implement this feature. However, note that this makes things more complicated. In order to show at any time the correct state in the UI, this means, we need to know at any time whether sending encrypted will be possible or not. That means, whenever the list of recipients changes, we automatically must check, obtain and verify the required certificates. I already had discussions with people from the mail/news team. It will be somewhat tricky to implement, because the current mailnews UI is not prepared to help us here. The list of recipients is currently only gathered on demand, so our change will need a partial rework of the mail composer window code.
This may not be a code regression, but it is a usability/feature regression. The feature is in 4.79, regardless of the model being used. The feature, while spec'd, is not in machV. As to the spec, all is well and good. Where is the harm in issuing a warning that users can turn on and off? It appears to be the convention, particularly when security is involved? It is better to err on the side of usability and conveying more information than not. The current implementation is not user friendly. I'm serious - most users are not tech weenies and will not like the behavior - they just want something that works in a common sensical fashion. The idea here is to deliver functionality that generates a customer satisfaction, is it not?
I just think we need to address this by RTM. Removed regression keyword. The UI in the spec, if we could implement it by RTM, would be great - there is ample visual feedback. Still think we ought to have the 'one time warning' dialog though...just like when you enter a secure site, leave a secure site, send form data, etc...
Keywords: regression
Target Milestone: --- → Future
Severity: normal → enhancement
this is a show stopper for deploying mozilla to my approx 150 users. They use encryption and would not stand for the current Mozilla arrangement. They are very satisfied with the options in Netscape 4.x.
*** Bug 176205 has been marked as a duplicate of this bug. ***
Is there any activity on this usability bug? There appears to be paralysis (http://bugzilla.mozilla.org/show_bug.cgi?id=149876) over semantic defintions in the design spec. I want to deploy Mozilla to replace Netscape 4.8, BUT the users need better support for dealing with recipients who do not have encryption certificates (x.509 certs)-- at least the same flexibility as in NS4.x. And I'm willing to throw $200 at the problem, if only to get a resolution. If it's never going to happen (for whatever reason) then I need to know so I can find another solution. But for most of my clients that solution requires x.509 certs in Windows, and my options are extremely limited, hence the offer of money. It's not hard to see that different security stances at different organizations would require a whole range of options, which can't be met by limiting the choice to two (require or not, or just replacing what was available in NS4.x
Is this feature dead? I have been hoping that this feature would come back (It was implemented at one point) .. The logic should be simple to implement .. if there certificate is available, ecrypt .. if not, dont encrypt ..
*** Bug 195940 has been marked as a duplicate of this bug. ***
*** Bug 219033 has been marked as a duplicate of this bug. ***
Mass reassign ssaux bugs to nobody
Assignee: ssaux → nobody
How much will it take to get this implemented? I would contribute...
This bug needs a UI proposal and a patch to implement the UI proposal. I can't estimate how long it would take someone else to do the work. I am willing to give an interim review to an API and of course will review any proposed patch.
This is what I see needing changed: Mail & Newsgroups Account Settings/Security Encryption Add "When possible/warn (encrypt if all recipients have certificates, warn if not)" to "Default encryption" radio buttons Add "When possible/nowarn (encrypt if all recipients have certificates, no warning if not)" to "Default encryption" radio buttons Compose/Send Implement additional encryption modes It sounds like implementing a dynamic Send button would be problematic, though it would be nice to have the feedback, but I don't want to rely on only that. Once a user is used to where things are, they tend not to look too carefully at the buttons. I've never done any coding on Mozilla, and very little GUI programming, but this doesn't sound too terribly difficult if the existing code is well organized.
well... first unaddressed concerns: 1. Suppose i have one mail account and 2 identities. Q. How does that affect this stuff? second... confusing questions: 1. Do I need a personal certificate to encrypt mail to other people? None of the docs seem to give any reason that I'd need this, but the current ui sure forces me to have one. 2. Is it really true that you can't sign nntp posts? About Digital Signatures & Encryption <chrome://help/locale/mail_sec_help.html#about_sigs_encrypt> says "Signing and encryption are not available for newsgroup messages." I thought I'd seen signed nntp messages, and I can't see any reason why I shouldn't be able to sign an nntp message, or why I shouldn't be able to include my public key in nntp messages. finally... UI Proposal: edit>mail and news account settings>[account]>security Encryption Default encryption setting when composing messages from this account: ( ) Do not encrypt messages ( ) Encrypt messages when all recipients have certificates ( ) Require all recipients to have certificates to send mail Certificate to include in messages sent by you so people can send encrypted messages to you: [None |v] [ View ] |timeless@bemail.org - timeless authority | The preceding seems good enough for my purposes. (The view button would be entirely optional, is not required imo, and the title is subject to negotiation). I'm not very fond of the two buttons, but if people insist on buttons, then I'd request: [ ] [ Choose...] [ None ] If I really need info about the certificate, I could open the manager.... As for the choice of "choose" over "select", well, the rest of account settings use it. As for changing clear to 'none', um... I just don't see a point in a clear button that does what this one does. Normally clear is a really destructive thing, ala clear cache. While i'm specing, the select buttons shouldn't be enabled if you don't have any certificates. Note that this problem goes away if you replace the control with a listbox, since it would just have a single item "None". message composition (encrypted) [certificates are available for all recipients and the mode is require or when possible] the send/send later items should change to indicate that (some sort of image/overlay could work). One approach would be to change the default icon to look more like a postcard. message composition (require certificates) send/send later items are disabled on the fly when a user is added to the to/cc/bcc list and there is no certificate for that addressee in the certificate manager. bonus points could be awarded at a later date for making the address icons of encryptable and unencryptable addressees visually distinct. If mail doesn't have hooks which let the security system find out about recipients being added/removed from the address list, that can be fixed.
How can you have one mail account and two identities? Your identity *is* your mail account. I can't think of a technical reason for requiring a cert to encrypt to other people, the only reason you would want to do so would be to send anonymous encrypted mail. There are obvious cases where you might want to do that, so you can turn off signing, though one would want to double check that it doesn't send your cert along to identify you anyhow, even if it doesn't sign it. It might very well do that because you would expect that if you send encrypted mail to someone, you would want an encrypted reply. I agree that signing news posts should be an option, though it's not my main concern.
Mass change "Future" target milestone to "--" on bugs that now are assigned to nobody. Those targets reflected the prioritization of past PSM management. Many of these should be marked invalid or wontfix, I think.
Target Milestone: Future → ---
My users that used to use encryption quite regularly with the Netscape 4.x "encrypt if possible" model have pretty much stopped using SMIME encryption with Mozilla. The remaining users make a point of periodically asking me when this "great" mail client will be fixed to work as well as the old one.
*** Bug 251179 has been marked as a duplicate of this bug. ***
OK -- it's now reached the point of being an actual irritant to my users. here's the latest one -- Just the latest of 23 at this firm. Mozilla has rendered PKI (x.509) encryption unusable for non-propellerheads. PLEASE, PLEASE, PLEASE, re-implement the netscape 4.x pardign of "encrypt if possible". -------- Original Message -------- Subject: encryption Date: Thu, 26 Aug 2004 11:28:50 -0700 From: Irene Faulkner <XXXXX> Organization: Arvay Finlay, Barristers To: Derek Shaw <spam at bisi.ca> ...is driving us all crazy. please tell me how i disable my certificate so that i don't have to manually go in and unencrypt every time i send an email. thanks -- Irene C. Faulkner ARVAY FINLAY, Barristers 400 - 888 Fort Street Victoria, B.C. V8W 1H8
Product: PSM → Core
Is this bug/feature request also valid for thunderbird? is there an timeline for implementation?
Is here someone who can give some feedback about implementation of this feature? What's about implementing it in TB? Do we have to donate to speed-up this? Just Say!
For Thunderbird, what are the problems that are keeping this bug from being fixed? All I want is an "Encrypt if possible" option in the Security settings for each account. So when the user clicks the Send button, Thunderbird would check the certificates it has and encrypt to only those email addresses. Any remaining email addresses would not be encrypted. The user would also not receive any warnings, etc.
I think the holdup is that no one is even looking at it. The bug is assigned to "nobody", so my guess is that no Thunderbird developer is even involved. Some developer is just going to have to sit down and take a look at it. I'm a developer, but I have no familiarity with the Thunderbird code, so I can't do that work. However, my instinct tells me that this is a medium-difficulty feature to implement. An experienced Thunderbird developer could probably do it within a week, working full-time. (On a side note, I don't use Thunderbird. I want to see this feature in SeaMonkey).
Whiteboard: [kerh-eha]
Should the product be changed from CORE to THUNDERBIRD? I would really like to see some headway on this one!
target: future
Target Milestone: --- → Future
QA Contact: carosendahl → s.mime
Does anyone not realize the importance of this functionality? If Thunderbird is to be a viable alternative to Outlook, it needs to support an "If Possible" encryption option. The "Required" encryption option really serves no purpose at the current time; once the majority of e-mail users have certificates, then this option will become important.
Johnathan, do you want to take a crack at this UI problem?
This is a feature that would get me to upgrade to Tbird 2... There also needs to be some interaction with Enigmail: right now, I default to S/MIME signing my mail, bbut have enigmail rules set to encrypt/sign with pgp for a couple people who use PGP instead. The S/MIME rule overrides Enigmail however, so if I forget to turn off the S/MIME signing, the message goes out unencrypted. There needs to be a priority scheme: 1. If you have one key, encrypt/sign using it 2. If you have multiple keys, use priority order, or per-recipient rule, or ask I'm sure that's a lot more complex, for starters the simple "encrypt if possible" is key, and it would be *really* nice to have at least a simple minded interaction between the two systems to use the appropriate system depending on what key you have.
This feature can make encryption usable in practice in the first place, but can also be very dangerous for security. (I disagree with kaie in comment 8 - it is not for users who don't care about encryption, that's an extremely bad assumption.) Following case: I discuss sensitive matters (either private or business) with somebody, and I know we're both using encryption and signing and I once checked that it works. I rely on it with what I say - I say sensitive I wouldn't say over plaintext mail, they may eve be dangerous. Now, an attacker writes me a mail from a different email address which looks like from my friend (e.g. he uses David Guetta <david.guetta@yahoo.com> and the attacker uses David Guetta <david.a.guetta@yahoo.com> or David A. Guetta <david.a.guetta@yahoo.com>). *If* I have the Thunderbird feature on to hide email addresses in my address book (default, I think), the new email address would be shown which it would usually not. But it does not look strange or alarming. If that Thunderbird feature is not enabled, I'm even less likely to notice the change. So, in effect, I may or may not notice the email address change. But for Thunderbird, it's a completely different correspondent, and if "Encrypt if possible" is selected, the mails which are usually encrypted are not longer, and secret data is leaked. Attack successful. It's a social engineering attack, but it enabled by this feature. Like all social engineering, it can be prevented by an alert user, but he has to check the email address every time, and that's not likely. So, the UI for this needs to be very carefully designed. I agree that overzealous warning is not good, but just sending plaintext in a situation like above is not acceptable either.
Perhaps this can be done by using graphical clues throughout the experience that the conversation is encrypted/unencrypted, buttons, message background, etc. I'm thinking the encrypted emails have an ever-so-slightly pink or some kind of stippled background, and the buttons are similarly identified to indicate encryption or not. Just brainstorming ideas..
> Perhaps this can be done by using graphical clues throughout the experience Good idea. I think the meaning of color is not obvious enough, so alone won't suffice. But a lock icon on the send button - would match the browser with http.
(In reply to comment #43) > Perhaps this can be done by using graphical clues throughout the experience Yeah, I like that idea, too. A lock icon on the Send button might break some Themes, so if it does, then perhaps a status icon on the bottom of the window would easier. BTW, this is labeled as a Core bug, so it should apply to Thunderbird *and* Seamonkey. (I'm opposed to changing it to just "Thunderbird" because I use Seamonkey) But now we're talking about UI changes. The Thunderbird and Seamonkey UIs are different, so does this mean that this feature will have to be implemented separately on Thunderbird and Seamonkey?
One option is to get something working with basic functionality, allowing this bug to be closed, and then coming up with a plan for further enhancements in the UI.
One thing I think would be required is a warning to the user if the message is sent encrypted to some recipients and unencrypted to others. This would probably catch a lot of problems, if the users could be educated to pay attention to it. The lack of this feature is what is preventing us from implementing Thunderbird S/MIME encryption, Users who care about encryption have started doing guerrilla installs of Enigmail with their own GPG keys.
(In reply to comment #47) > One thing I think would be required is a warning to the user if the message is > sent encrypted to some recipients and unencrypted to others. I think that's beyond the scope of this feature. The simple solution is to use encryption only if it can be encrypted for ALL recipients. Like Steve Hay suggested, as long as it's visually obvious what's going to happen before the user presses 'send', then it should be okay. As the saying goes, don't let the perfect be the enemy of the good.
(In reply to comment #48) > The simple solution is to use encryption only if it can be encrypted > for ALL recipients. Like Steve Hay suggested, as long as it's visually > obvious what's going to happen before the user presses 'send', then it > should be okay. I would be very happy with that or, indeed, any way of using encryption that did not require the user to manually check or uncheck the encryption option for each message.
(In reply to comment #40) > Johnathan, do you want to take a crack at this UI problem? You know I love cracking at UI problems, but just at the moment, I have too much Firefox stuff going on to add this to the queue -- which is not to say that I don't consider it important, on the contrary. I wish bugzilla had a "remind me in 3 months" flag. Obviously, my lack of time shouldn't slow anyone else down. I doubt that even needs mentioning, but I wouldn't want to be interpreted as saying "this should block until security UI resources are available" since... blah. You all know that's not what I'm saying. :)
> I wish bugzilla had a "remind me in 3 months" flag. Slightly manual, but... prep-A) go to the "General Preferences" tab in Bugzilla preferences prep-B) Turn "Enable tags for bugs" to On 1) In the footer for the remindee bug add a "named tag", something like "Nov2007" maybe. 2) in November click on the "Nov2007" saved query in the bugzilla footer and look at all the bugs you added to that tag. 3) when you're done with that tag forever you can "forget" the query, or remove individual bugs from it using the Bugzilla footer as you deal with them.
Version: psm2.3 → 1.0 Branch
johnath, dveditz you should both be in the bz_canusewhines group, which means you have use: https://bugzilla.mozilla.org/editwhines.cgi to setup scheduled whines. currently it only allows for monthly. but i think be able to ask for quarterly whines shouldn't be an unreasonable request - bug 445126.
Product: Core → MailNews Core
Having to manually select "Do not encrypt this message" when sending to non-certificated recipients is a complete pain. Every day I have do this many times. Setting encryption "Required" is the only sensible option if you use encryption otherwise you might forget to manually set encrypt for certificated recipients. One of the objectives of software is to make things easy for the user. Why not just copy the Outlook system which doesn't have this restriction. A friend of mine prefers Outlook over Thunderbird for this reason and he's got a point.
Wasting your breath John, I've been telling them that for YEARS. The problem is that they seem to be hung up on an option ("Required") that no one cares about or has even asked for. Outlook has no such "required" option and users like myself are happy to use it every day. If my recipient has a certificate, then the message is encrypted "automagically"; if not, then the message is not encrypted. If users had wanted something more, they would have complained to Microsoft about it. Please, please, please stop being hung up on how you think this should work. Outlook has this capability, so let's get it into Thunderbird so we can get more people using it! The endless debate on this issue has got to stop, please. Let's get some action going on this and get it done, finally.
It's appalling how long this has gone on: architecturally, it's just not that hard: For starters: Settings: Option to encrypt with s/mime if possible Compose: When you enter an address, look for cert if found, green else red (theming this can wait if need be) If not all addresses can be encrypted encryption icon broken entire address pane pink (theming this can wait if need be) future option: insert X-Encrypted-To header for addresses able to be encrypted (maybe only in saved copy? don't hold up over this) Send for each address with key encrypt, send send unencrypted to remainder if saving a local copy if all addresses can be encrypted encrypt to self save Ideal future operation: Settings: If multiple keystores registered (e.g. enigmail says "I have a pgp keystore") option to set global priority address book has option to set priority by address initially: checkbox "try this first" (virtually 100% will have at most two: s/mime, pgp) later: numeric order to support N keystores Compose: As above, selecting from keystores per priority if addressbook priority use that else global Implementation detail: might attach key at this point to avoid bugs where compose does one thing and send another, but choice shouldn't be a show stopper Send: As above, selecting from keystores per priority if addressbook priority use that else global
Bryan ^^^^
Priority: P3 → --
Target Milestone: Future → ---
Version: 1.0 Branch → Trunk
I like the idea of changing the message appearance based on the encryption state. Though I think the sole use of colors for this indication will be problematic. * We already use red to indicate a bad address so we can't double up on bad address / unencrypted * Themes, Color Blindness, and a11y make using only color as a designator an artful dance That doesn't mean that we can't use color in conjunction with some other indicators; just that we can rely on color as our main indicator. There are two possible behavior types that I'm seeing in this bug. 1. All or nothing, "secure if possible". This means that if all recipients have a cert than we alter the message composer to indicate that this message is secure. Likely security concerned users could not use this option, though people who were explicitly trying to have secure communications and regular (insecure) communications would benefit from the ability to auto-encrypt when possible and otherwise still send mail. For this I think we want our encryption status to be related to the entire email itself and not just the recipients. Though I like indicating which recipients don't have a cert; perhaps we can do that with an alternate icon. We have a little person icon for each contact right now and it seems reasonable to me that we have a "cert person" icon for each person that has a cert. I might do something like take the from area and add an encryption status widget with an icon and label. Also coloring encrypted status background in a green to indicate the message is secure. From: [ Bryan Clark <clarkbw@example.com> | v ] {Encrypted Status} 2. I'm calling this option 'casual security'. This means that if we have certs for some contacts then we send secured, otherwise we sent plain. This is casual because the security isn't requisite as much as it's a opt-in choice. Security concerned users of Thunderbird could not use this option as there are no guarantees of security on a bad day. All the indicators would have to be inline as we all know and agree that nagging dialogs do nothing over the long term. I don't think we have a good way to convey to the user that the encrypted email they intended to send was sent unencrypted to a few people. Some users would understand this, but others might not. Different icons or colors might indicate that, however I don't think those indicators are strong enough to sleep well at night. To make this option work I've tried changing the listcell.addressingWidgetCell widgets. It's possible to make each address line show a background color that could indicate secure (white = normal, green = secure) as well as an icon that we use in the background aligned right. (sm)+secure@example.com++++++++++++++++++++++++(l) (m) insecure@example.com +++ == "green background-color" (sm) == "cert contact icon" (m) == "contact icon" (l) == "secure/lock icon" This doesn't have any real text indications of security so it's not ready for prime time but it tries to clearly convey that some people are more secure than others. -- Given the choice of taking "secure if possible" or "casual security" into the trunk I would probably have to choose "secure if possible" as a possible trunk item and "casual security" as an add-on available from AMO. People using Thunderbird who are really worried about security should lockout the AMO add-ons site anyway so I have less concern that an extension poses a threat to our general user base as having something built in. So far that's all my thoughts on this. The add-ons route is much nicer in TB3 than any other version of Thunderbird previous and we're working pretty hard to keep making it better. I didn't go into further interactions yet because it seemed unclear what the best behavior is and I wanted to get some ideas out before moving forward on them.
People who *need* security would use the "encrypt always" option, though it ought to be on a per-address basis to match the real world security requirements. Actually, that would be another option for satisfying this: for the people I have keys for, I could set "encrypt always to this person" and leave the default at unencrypted. I still want to see an obvious visual indicator however (i.e. green background on the address)...
(In reply to comment #58) > I still want to see an obvious visual > indicator however (i.e. green background on the address)... Why not simply use the lock-icon that people are used to from browsers? Open Lock == Not Encrypted Closed Lock == Encrypted "Gray" Open Lock == Not Encrypted, no key for address
As long as it's next to the address and not buried down in the corner where you don't notice it, as it is in browsers. The modern enhancement of coloring the url on secure sites is much more obvious and usable. Color is also simpler to process --- a lock image essentially requires parsing the image (i.e. determine if it's open or closed, which requires some analysis). If it's simpler, coloring the lock would be better than nothing. But it needs to be something that stands out, as, for example, when you click on reply, you (or at least *I* ;-) ) rarely even look at the address section --- it needs to be something you pickup peripherally to give you at least the chance of tripping an alarm "hey, I'm replying to Joe, why isn't that Green?" On the other hand, that's just confirmation and redundancy. Security comes from the ability to say "always encrypt to this address" in the first place, but nothing can prevent me from making the mistake of sending confidential information to the wrong address; this only gives me an improved chance of noticing that I'm doing it...
I think that the "all or nothing" behavior is what I would personally expect. If I'm sending to multiple people, I really don't expect the message to be encrypted -- not even to the one recipient that might be able to receive the message encrypted. Would I like some visuals to let me know the message is going out encrypted? Absolutely! There is nothing better than having visual reassurance that the message can and will be encrypted. Outlook has nothing like this at all. It would also be good if the recipient received some visual indicators as well. I would, however, like to receive an alert if a recipient that I always encrypt to suddenly has a problem due to an expired or revoked certificate, and the message could not be encrypted for that reason, or any other failure that might prevent the message from being encrypted when it would normally have been encrypted.
Hi, I'm a co-owner of the NSS module (Mozilla's crypto libraries), and have worked on the CMS crypto code that is used in Thunderbird S/MIME since before there was Thunderbird. I am now the nominal maintainer of that CMS crypto code. I'd like to "weigh in" here on the subject of "casual encryption" by which term (AIUI) Brian Clark seems to mean that a single message may be sent twice, once encrypted to those who can receive it that way, and once unencrypted to those who cannot. I *strongly oppose* that. Sending a message both encrypted and unencrypted defeats the purpose of encryption. It defeats any secrecy. It _ensures_ that an attacker who is "snooping" on your traffic will be able to read those messages. A user may send a message, thinking that he has preserved secrecy, because it was sent encrypted to at least some of the recipients. But when the text of his message appears in the paper, or in a court document, he discovers that it was NOT kept secret, and he declares to the world that Thunderbird's encrypted email is useless because it does not protect secrecy. I believe I am speaking for the NSS team when I say that, to preserve the reputation of Thunrderbird's S/MIME (and indeed, of S/MIME in general) we want to prevent such mistakes from being made. We want to ensure that if the user is shown that the message will be sent encrypted, that it will be sent encrypted and ONLY encrypted. In other words, a single message should be sent encrypted to all parties or unencrypted to all parties; all or nothing. In comment 57, Brian wrote: > I don't think we have a good way to convey to the user that the encrypted > email they intended to send was sent unencrypted to a few people. Even if we could, we certainly do not want the user to FIRST learn this after the fact, after the message is sent and the damage is done. In comment 61, Pete Howell wrote: > Would I like some visuals to let me know the message is going out encrypted? > Absolutely! Do you not already have those visuals? I certainly do! When I send a message signed and/or encrypted, I see icons in the composition window's status bar telling these facts very plainly while I am composing the message. See the attached screen shot.
Attached image encrypted and signed (deleted) —
here's one take on a greater visual cue for an encrypted and signed message with color, text, and icon hints. The colors are a little too much, but were just matched from the Firefox SSL/EV1 colors.
Attached image compose signed only (deleted) —
here's a similar one that is signed only. again with color, text, and icon hints. Matched color from the Firefox SSL/EV1 colors.
Those both need some work to clean up so there's no need to pick them apart just yet. My goal was to get a stronger visual element such that it would be more obvious is the message wasn't being encrypted or signed. Not sure the signed one is really necessary.
Seven years later, and it seems that the "bug" being fixed is NOT the bug that was identified. All my clients who used to happily use Communicator (Netscape 4.x) have long since been lost to Outlook. They use it because there is no "encrypt if possible" option. These are (virtually) all lawyers, and they understand the issue of keeping it confidential. They also are required to use x.509 certificates by the law society of the Province, so they need it to work. They also conduct the vast majority of their email communications without encryption because the vast majority of their correspondents don't have x.509 certs. So encryption will always be an "extra" for them. The reason it will always be and "extra" is that the uptake of free x.509 certificates, which have been available for years, is nil. Even if free, the cost to the (non-certificate) user is more than the benefit they ascribe to their privacy. I see no recognition of this fundamental situation in all the discussions above. So I suggest a dose of realism. Mark this bug "wontfix", because as it stands now, the positions being taken, and the fixes being discussed do not "scratch the itch" that caused the bug to be opened in the first place. Go and make a bug that discusses what behaviour Thunderbird and Seamonkey should have. Start with taking a close look at what Microsoft offers, 'cause as far as my encryption-conscious clients are concerned, Microsoft won when the netscape 4.x paradigm wasn't implemented in Mozilla (and then again in Thunderbird). If it's more important "...to preserve the reputation of Thunrderbird's S/MIME (and indeed, of S/MIME in general)..." than to deliver working code, then so be it. At least we'll know where the future lies.
Hey Derek, thanks for the comment! You've really clarified the use case for me. I was finding it hard to understand who was using this system and what for but I think it makes sense now. I can barely imagine your frustration if you've been watching this bug for 7 years. The development of this is caught in an internal process. As Nelson points out Thunderbird carries a reputation of being secure that is important for Thunderbird to continue to uphold. This use case, as I understand it, isn't so much about security as it is about a poor process that's being imposed on some of our users. However implementing this use case could damage Thunderbird's reputation of being secure assuming it went in the core product; likely we'd be compared to the security level of Outlook at that point. Though also likely gaining a better comparison in usability... This being the struggle of the Thunderbird product process. If you're interested in getting this fixed I'm willing to help. I don't think the process allows us to get this into the core of Thunderbird but I do think it allows us to ask for help extending Thunderbird to make this happen. So to move forward I think we need an extension built that creates the user experience you described. As we run into road blocks with the code inside Thunderbird we can file them to request changes needed to make the extension work. Likely this bug would stick around as a meta bug tracking other individual changes needed. I can give some of my time to this, I think I worked out a couple possible changes to the compose window in comment 57 that would work for this. If you or other have the programming skill to develop something that should be all we need. If you don't have programming skill then we need you to be a project manager, gather someone with programming skills and get something moving. Email me directly to discuss anything further I'm always available. A very similar circumstance happened in bug 391272 and by bug 391272 Comment #42 Martin had his own extension to get the behavior desired which should be getting up on addons.mozilla.org soon.
Re comment 62, I am not opposed to all or nothing encryption, that is a valid concern, even though "casual encryptor" is a valid category (doing it more as a matter of principle than because of any actual security requirement). It is reasonable to make sure that those with real security requirements are protected as much as practical. The more I think about it, the more I think the right answer is to allow overriding the "always/never" encrypt option from the global settings in the address book: 1. The current global "always encrypt" is almost completely useless due to the low uptake of encryption, although it could be useful in some very restricted environments 2. If you're encrypting to someone, you want everything encrypted to them if for no other reason than interfering with traffic analysis 3. If the cert expires, disappears or has other problems, you want to know (problems would likely trigger their own flags, but a disappearance would be silent under "if possible" rules) You can flag when mixing encrypt/noencrypt addresses and allow the user to decide what to do in that case, though it would still be nice to have an option to say "this user doesn't have a high security requirement, if other addresses are unencrypted, visually flag it, but go ahead and send in the clear". Something you *really* want to avoid is the situation with enigmail and rules, where you tell it to encrypt when sending to this address, and it shows no indication that it's actually going to do that before you send. There really ought to be better interaction also (e.g. I "always sign" my mail, but when sending to a pgp user, have to manually turn off x509 signing). That's probably a separate issue, but if the "always/never" encrypt were overridden in the address book, it would make sense to have signing overrides there as well for consistency... Thus, the global settings remain "always encrypt" and "always sign", with overrides in the address book for "always"/"never" "encrypt"/"sign". It would still be nice if it were arranged that pgp usage would be consistent, i.e. there was a global default encryption protocol setting with address book overrides. In any case, the little status icons buried down in the corner are hardly "very plain". Important status like that should be "in your face" (though not to the point of drowning out everything else), more like the icons on incoming mail to the right of the address/subject (though I would like to see them next to the text, where you're more likely to notice them when you've got your mind on the message content, not the message state). Fixing usability issues like this with encryption would go a long way towards increasing its use so that it *could* be the default state.
Re comment 64, i agree there's no point "sending it twice (encr. + unencr.). However, the "when possible" should be when it's possible for to encrypt for all recipients. Good UI to indicate which it will be is essential for that. Comment 68 has a good point that the current "always encrypt" is basically unusable (in all normal use-cases).
The "always encrypt" should never have been implemented as it exists today. This option would only be useful in the address book, configured only for specific recipients.
a related issue is bug 280588 and Bug 276786 that addresses the case where a counterpart cert is present, but hard to handle on the long run in the outbox/inbox once it's used
Seems related to Bug 149876, if not a dup.
Whiteboard: [kerh-eha] → [kerh-eha] [GS]
So, another three years have gone by with no movement. What bounty would it take to get this done? Setup a kickstarter for it and I'll contribute... First we need to define an acceptable solution. Per the comments above, here's a starting point: "key available" means *valid* key Settings: Global option to encrypt with s/mime if keys are available for all recipients Option to encrypt local mail store Address book: Option to always encrypt to user show address green if key available, icons showing type(s) red if no key available normal if option not selected and no key available per-user priority ("this user prefers pgp, this user prefers x509") Encryption system Plugin with priority e.g. "look for x509 first, then pgp" overridden by address book initially: radio button "try this first" (virtually 100% will have at most two: x509, pgp) later: numeric order to support N keystores each plugin manages its key store x509 moved to plugin Compose: When you select your identity, icons for which encryption systems identity has private key for When you enter an address, look for key (prioritized within subset identity supports) if found, green else if global option selected, or encrypt to user selected but no key available: red If encryption is indicated one way or another but not all addresses can be encrypted encryption icon broken Drafts: Drafts *never* signed (287294) Send Fail if encryption expected and not available, return to message edit
FYI, there's an add-on with basic functionality available for that: https://addons.mozilla.org/thunderbird/addon/encrypt-if-possible/ If keys are available for all recipients & sender, encryption is turned on; off otherwise.
The plugin does not work for Seamonkey, so I think this is still a feature request. Must say: that I dont care about visual feedback, multiple recipients, external cert services and listings and whatever extras. I personally simply do not like to look a recipients cert up (if I have it or not), before I can decide how to reply. If somebody sends me a signed message, he surely likes to receives a encrypted reply and Thunderbird/Seamonkey should do this decision automatically.
Removing myslef on all the bugs I'm cced on. Please NI me if you need something on MailNews Core bugs from me.
I just started reading some of your comments to understand why this bug hasn't been fixed for so many years. To me encryption isn't crucial. I just got me a level 1 certificate to try it out. And even in 2016 it is harder to use than you think. It's great that S/MIME is implemented in Thunderbird, but using it is way too complicated. To start using encryption I import my certificate, set up my S/MIME preferences (sign e-mails: yes, encrypt e-mails: yes) and if I ever got a signed email from somebody (and they are in my certificate storage) I want to automatically send the following email encrypted and signed. This is exactly what happens when I use the Apple Mail app on iOS. When I create a new mail, there is an open lock button. Once I enter a recipient that has a certificate a small closed lock appears next to his name (to show me that I can encrypt the mail to them) and the button shows a closed lock now. Also the title always shows me if the mail is encrypted or not. If I add a second recipient, that doesn't have a certificate, then encryption isn't possible. There's an open lock next to their name, their name (and the small lock) get red, the button shows a red open lock now and the title tells me "encryption not possible". Once I click on the red button I can either confirm not to encrypt it or just send it anyway and it doesn't get encrypted. This was just to show you how Apple's work flow works. This means, they always check if a recipient is able to receive encrypted mail. If all are able to, then send the mail encrypted, if not, warn and send it unencrypted. The UI shows this by various features which I described and this is all in all the kind of experience I would like to have in Thunderbird as well. But here I can only choose to either never send encrypted mails (which means I always have to remember to check "send encrypted" before I send a mail) or I choose "always encrypt" and get an error message (popup) in 99 % of all mails (because probably no single user out there has certificates of all their recipients). I get that some users want to have a really secure client, that warns them if an email couldn't be sent encrypted, but having some kind of UI feedback instead, (when choosing "encrypt if possible") like described above would be much easier for most users. I really hope to get this feature implemented so encryption can be easier to use.
I have been following this bug since before I graduated college. Back then, implementing this feature was (for me) more about increasing my ability to advocate the increased adoption of encrypted messaging. Even back then, it seemed like a smart general principle to make encryption easy and widespread, and it was obvious people weren't going to do it unless it was relatively easy and didn't interrupt their workflows too much. Since then, security purists have basically made it near impossible for users to get there (across the board--not just with this bug). A person above commented that the value of privacy for many is less than the cost of a free certificate and the time it takes to manage and configure it. So true distributed security remains unrealized because we make it too hard. Meanwhile, the task of security for users has mostly moved to the cloud, where there is a monetary reason to implement features users will actually use and rely upon. Unfortunately, this also means that in its current incantation we rely on trusted third parties to keep our information safe. Given one of the great benefits of modern crypto is that we don't need to rely on centralized trust models, I view this as a huge failure of our industry. With the Snowden leaks and other world events, I hope that people are starting to take a more realistic view on encryption, and particularly to weight more heavily the importance of increasing the percentage of encrypted traffic. And hopefully we are also starting to see the importance of moving away from the centralized security models, although companies that have made their fortunes on mining user data don't really want to let go of the keys to the kingdom. I've not been a Thunderbird user for over a decade. I gave up. Over the years, I've watched this bug languish variously and be mostly ignored. I'm kind of wondering if at some point this bug will break some kind of record. Or unceremoniously closed one day. Or maybe... just maybe... it will get implemented, and whatever small part of me that retains hope for this bug will finally be satisfied. Sorry, a bit of a rant/vent. I know its not the best forum for this, but had to get if off my chest after almost 15 years.
Summary: [UE] Implement "Encryption when possible" option → Implement "Encryption when possible" option
Summary: Implement "Encryption when possible" option → Implement "Encryption when possible" option for OpenPGP abd S/MIME
Summary: Implement "Encryption when possible" option for OpenPGP abd S/MIME → Implement "Encryption when possible" option for OpenPGP and S/MIME

The "Encrypt if possible" and also the Enigmail-Autocrypt feature aren't working anymore in Thundebird-78.4.
https://addons.thunderbird.net/de/thunderbird/addon/encrypt-if-possible/
https://addons.thunderbird.net/de/thunderbird/addon/enigmail/
Please provide an alternative.

Adding the phrase "opportunistic encryption" since it took me a long time to find this issue after my search for opportunistic returned no results.

As Comment 86 noted, for wider adoption of encryption, it's critical that its usage not interrupt workflow too much. I set up multiple friends and colleagues with Enigmail, and opportunistic encryption made privacy transparently easy, aside from occasional refreshing or new importation of keys. The new integration into Thunderbird is a huge step backwards, and makes PGP nearly unusable for most users. (Either they set to always encrypt, then have their workflow interrupted whenever they send to someone without a key; or they set to never encrypt, and inevitably forget to manually set encryption on every single email for which they do have recipient key(s).)

(In reply to norristh from comment #92)

Adding the phrase "opportunistic encryption" since it took me a long time to find this issue after my search for opportunistic returned no results.

As Comment 86 noted, for wider adoption of encryption, it's critical that its usage not interrupt workflow too much. I set up multiple friends and colleagues with Enigmail, and opportunistic encryption made privacy transparently easy, aside from occasional refreshing or new importation of keys. The new integration into Thunderbird is a huge step backwards, and makes PGP nearly unusable for most users. (Either they set to always encrypt, then have their workflow interrupted whenever they send to someone without a key; or they set to never encrypt, and inevitably forget to manually set encryption on every single email for which they do have recipient key(s).)

In general, I'd say the PGP integration is a step forward, but the design decision that encryption can only be globally enabled or disabled seems, with all due respect, brain dead. For 20 years, I had a very hard time getting non tech savvy users to adopt PGP, and thus when TB announced their built-in support, I was received. But this is a real bummer, because I know that most users I am interacting with will not think of having to enable encryption for the current message.

One compromise would be that TB, whenever it finds a matching key, it should, prior to sending the message, ask the user whether or not encryption should be enabled.

We're planning to support this, just didn't have time to finish it for 78.

Priority: -- → P2

(In reply to Magnus Melin [:mkmelin] from comment #94)

We're planning to support this, just didn't have time to finish it for 78.

Sorry for bothering, and I know the old rule of "it's ready when it's ready", but is the current plan to have it ready for one of the next point releases? I'd love to know in order to understand what to tell my users.

No this needs a lot of new UI, so won't be available until the next major release mid 2021 (well, in betas some time prior to that yes).

Although Bug #1654950 was fixed without any UI for now - just with a hidden config option. I guess that would suffice for a lot of people. And, actually, the UI could be just a checkbox:
[x] Automatically switch on encryption if a public key is available for all recipients
Does this basic functionality really have to wait more than half a year?
Currently, I'm sending all mails without any encryption because it's so cumbersome...

(In reply to r from comment #97)

Although Bug #1654950 was fixed without any UI for now - just with a hidden config option. I guess that would suffice for a lot of people. And, actually, the UI could be just a checkbox:
[x] Automatically switch on encryption if a public key is available for all recipients
Does this basic functionality really have to wait more than half a year?
Currently, I'm sending all mails without any encryption because it's so cumbersome...

This is just about attaching the pubkey, not about automatically encrypting when a pubkey for the recipient is available, right?

Yes, it's a totally different issue. I used it as an example to show that there are different/easier options than implementing a full-fledge UI to realize what probably most of those following this issue are looking for: Basically a simple option, to turn on encryption automatically only when there are public keys available for all recipients. Currently there is only on and off. What we need is a third option: "On if there is a known public key for all recipients - otherwise off". That would solve perhaps not all situations, but would massively alleviate the current problems and disappointment many have after upgrading from the old Thunderbird with Enigmail.

(In reply to Magnus Melin [:mkmelin] from comment #96)

No this needs a lot of new UI, so won't be available until the next major release mid 2021 (well, in betas some time prior to that yes).

This is deplorable, because, even though TB 78 provides the technical underpinnings for making end-to-end encryption easier, this limitation, according to the feedback I get, make it very unlikely for anyone to effectively start using PGP if they haven't, because they will always just forget to check the box, and for anyone who has been using enigmail in the past, this is a major nuisance. As much as I appreciate that TB is committed to making PGP use more common, I have again downgraded to 68 because of this.
The thing is: In any other encrypted communication channel, such as Signal, Whatsapp, even facebook messager, you don't have to do anything to make encryption work. It just works transparently. If prior to sending a Signal message I would have to tick a box saying "encrypt this message", few people would do it.

So, this should really get priorised, I feel. Again, I really value the efforts you are making here. I just feel that abolishing Enigmail at this stage was premature.

Wow, this bug is 19 years old! I was about to report exactly the same issue.
Currently, one can only choose between "Require encryption by default" or "Do not enable encryption by default".

What happens with "Require encryption by default":

  • every message that I send to people who do not use OpenPGP (and I do not have their key) needs to be manually unticked so that Thunderbird does not try to encrypt them.

What happens with "Do not enable encryption by default":

  • every message that I send to people who use OpenPGP (and I do have imported their key into TB) needs to be manually ticked so that Thunderbird does encrypt them. Unless I reply to a message that was encrypted.

The option "Require encryption when possible" would mitigate both unusable cases described above.
As Johannes Rohr says, look at Signal. You can see on one eye blink that your message will be encrypted (blue arrow) or not (grey arrow and text saying "Send message unencrypted"). This simplicity/transparency of use is missing in TB's implementation of OpenPGP. In 2020 this should be a standard.

Also see bug 1681938

I agree, Enigmail was better with that regards.
I am very disappointed with the deprecation of Enigmail and the move to a feature that is not ready yet.
(btw I do contribute to the Mozilla foundation)

Bug 1684783 is not a duplicate of this bug. This bug is a feature request and Bug 1684783 is a serious defect that prevents mail from being sent if it was PGP encrypted.

It's still a duplicate.

Can you explain why the defect of having TB set to "Do not enable encryption by default" but it refuses to send mail because a public key is missing is related to this feature request to prefer encryption?

Currently we support "require encryption" or unencrypted. For encrypted mails we will try to reply encrypted (totally per design).
If you don't have the key, you can switch that mail to be sent unencrypted. Perhaps the UX could be better, but the better UX would basically be this bug.

I was about to request this feature, and I found out that request is open for almost two decades... LOL

Third option for encryption would be nice:

  • Use encryption if possible (if key is available)

Possibly another configuration option for multiple recipients:

  1. abort if not all keys available
  2. send encrypted to recipients with keys and send unencrypted to recipients without keys (and display warning?)
  3. Ask

i'd like to see(In reply to darthbolek4 from comment #111)

I was about to request this feature, and I found out that request is open for almost two decades... LOL

Third option for encryption would be nice:

  • Use encryption if possible (if key is available)

Possibly another configuration option for multiple recipients:

  1. abort if not all keys available
  2. send encrypted to recipients with keys and send unencrypted to recipients without keys (and display warning?)
  3. Ask

To have some popup coming up for asking for confirmation if the message could not get encrypted is exactly what i'd like to see!

The basic solution is checking if a key exists and flipping the preexisting encryption option, which should take 5 minutes to code. I can't think of any reasonable explanation of why something so simple and that only benefits illegal mass surveillance has been open for 19 years except due to an NSA influence operation.

I'd also like a function like the outdated "Encrypt if possible". 👍

Fully agree with schaum.
Third option "Use encryption if possible" is neccessary in order to promote encryption and avoid annoying users by letting them always check or uncheck encryption settings.

For mails with multiple recipients:
If "require encryption" is set as default and (one of) the recipients key is missing the popup could ask what to do

  • send encrypted to recipients with keys and send unencrypted to recipients without keys (which should also be the case when "Use encryption if possible" is set
  • do not encrypt mail
  • abort (in order let user get recipients key)

We recently switched to TB78 and not having a simple way to disable encryption is really confusing to our users. With enigmail/TB68 we have configured encrypt+sign by default. Whenever there was a public key missing, users could simply uncheck encryption, and could send the email (one additional click)

Now this option is hidden behind security and is much less intuitive, and takes 2 clicks, and also disables signing (which might not be what we want, because maybe the recipient has my public key and would like to verify my signature). Maybe not the right bug here, but as a first step, to have 2 buttons in the composer window to toggle encryption, and signing, that would improve workflow tremendously.

If users have one account, on which they communicate with some people with PGP and with some people unencrypted, they now have a bad expirience.

Either we can disable automatic encryption, and need to remember each time to enable it for the conversations that use it, or have it on, but get a annoying window everytime we communicate with people that don't have a key.
Also I sometimes get so used that I have to disable the encryption, that I routinely disable it, even when sending an email to someone who has a key.

This all leads to frequent problems, and can lead users to accidentally send information that should be encrypted in plain text.

Having no option to use encryption if possible (if key is available) makes PGP nearly unusable for many of our users. Either they choose "always encrypt", then have their workflow interrupted whenever they send to someone without a key; or they choose "never encrypt", and inevitably forget to manually set encryption on every single email for which they do have recipient keys. This leads users to accidentally send information that should be encrypted in plain text.

To our descendants: please time travel back to 2002-04-05 to convince the community to give birth to a child with the name #135636.

To our contemporaries: It should be fixed now by any minute.

Since this ticket was created I have taught quite many people how to encrypt their email communication using Thunderbird and Enigmail. After Enigmail was dropped, this issue kind of ruins this effort, because it just won't work like this and those with good will but without dedication are repelled. It does real damage to the goal of promoting e2e encryption for email - please consider raising the severity of the issue.

Anyway, it was an honor to be part of this historic ticket.

I can only agree. The current situation is repelling users - even me - to used e2e encryption with Thunderbird.

How difficult can it be to develop an add-on that will fix the issue?

Is it not possible to just let enigmail extension works again ?

I understand it is quite frustrating for Thunderbird developer and you may have other priorities than security and user privacy
but currently Thunderbird encryption even in beta 91 version is not as functional as 68+enigmail.

If development has to be halted it may be a good compromise to just let the old extension provides what users need.

If you wish to fix the bug, please do it. But this evangelising has to stop.
There is a discussion forum for E2EE here https://thunderbird.topicbox.com/groups/e2ee
I suggest you start using it I try and follow significant bugs for developments. All this noise is making that very difficult and it is not contributing to getting the bug looked at.

I strongly encourage you to read the guidelines https://bugzilla.mozilla.org/page.cgi?id=etiquette.html before you post in this or any bug.

(In reply to Matt from comment #124)

If you wish to fix the bug, please do it. But this evangelising has to stop.
There is a discussion forum for E2EE here https://thunderbird.topicbox.com/groups/e2ee
I suggest you start using it I try and follow significant bugs for developments. All this noise is making that very difficult and it is not contributing to getting the bug looked at.

I strongly encourage you to read the guidelines https://bugzilla.mozilla.org/page.cgi?id=etiquette.html before you post in this or any bug.

Hi,

I would like to work on this bug.
Would you or Mozilla take a PR?

If yes, could you give me some pointers where to implement this?
I am the maintainer of multiple Android apps, but have never looked at the Thunderbird source.

Flags: needinfo?(unicorn.consulting)

Thanks for offering to help. This bug is unlikely to be a good candidate to work on for a first patch though.
We are currently evaluating what route we would take here.

Flags: needinfo?(unicorn.consulting)

Hi Kiebitz,

thanks for your offer to help. I'm not a developer myself, but I'm managing Thunderbird within my organization (80+ staff), advocate for it for 10+ years, and an author of a small TB addon.

I think what gave this bug renewed attention is not only the fact that it is 20 years old, but also the fact that sending unencrypted emails with encryption enabled in TB78+ (still the case in TB91) is more complex than with TB68 and enigmail.

There is are quite some discussions, bugs about this e.g.:
https://bugzilla.mozilla.org/show_bug.cgi?id=1710453
https://thunderbird.topicbox.com/groups/e2ee/Tcb4b3decdb7e66ce/require-encryption-vs-optional-encryption
(there is much more, esp bugs.)

I'm just a person trying to keep my colleagues motivated to continue using encryption, and Thunderbird. The introduction of TB78 severely complicates sending unencrypted emails (which is the majority) while having encryption enabled (some emails per day to certain people, and those emails must be encrypted, so no way to make it optional, as my colleagues will simply forget to check the (hidden) checkbox).

So if you have time, and motivation to help improving the workflow of sending (un)encrypted emails, and it doesn't have to be this bug, I think there are many other possibilities.

As TB91 is out since a couple of days and it retained the complex workflow of TB78, I fear that any improvement could only come with TB2022 (in one year?).

Some practical examples to improve the workflow in the meantime:

  1. an addon/setting which simplifies user-interaction to disable/enable encryption in the composer (right now, the "do not encrypt" button is hidden behind a small arrow - this is already a big obstacle for the majority of users).
  2. an addon/setting which improves the error messages when you miss public keys of recipients (right now, there are 2 popups, and no way to simply click "send unencrypted")

I'm sure there is more, these are just my ideas.

thanks,

(In reply to Magnus Melin [:mkmelin] from comment #126)

Thanks for offering to help. This bug is unlikely to be a good candidate to work on for a first patch though.
We are currently evaluating what route we would take here.

I do wonder why this has been released in the first place. Enigmail has served us really well for many years, it did everything we needed.
I understand that there is ample reason to have it tighter integrated into Thunderbird, but how it was done has had the opposite effect of what was intended and I submit that this was no surprise.

For me, convincing any of my peers to use PGP has become not only not easier but more difficult, and the absence of an "encrypt whenever possible" switch is a big part of the problem. Another is that Thunderbird hasn't made it easier to exchange keys. This is the greatest showstopper. In any other trusted channels, key exchange happens without user interference in the background. With email this isn't possible because encryption is tagged on, rather than built in. But Thunderbird could at least work to make it as seamless as possible. But ok, this is for another bug report. Anyway, I hope we don't have to wait another full year for a fix.

As someone who has been educating individuals on security practices for over a decade and a half, and whose feedback has been integrated in various tools, including Enigmail, I have to say that I agree with those who see the lack of this functionality as a hindrance to the adoption of using PGP by users.

Related to the regression usability issues, I also submitted this suggestion today. Comments and critique are encouraged.

Nobody has mentioned that TB has created a separate keyring, which is as backwards as FF trying to replace the system DNS resolver. The separate keyring functionality needs removed and it should use the system keyring. It's not noise Matt and this ticket is old enough to have protests in the street. Less than 5 lines of code would resolve most of the problem, this ticket isn't complicated, it's political. The EFF should get involved.

"Implement encrypt when possible" is easy to implement.

The funktion encrypt all email already checks if there is a pgp key for encryption. If there is no key, it shows an error message. Instead of the error message just send the email unenrypted and rename the funktion encrypt all in auto encrypt.
This is may be one line of code.

As long as it's all or nothing, and it should warn. You don't want to be sending the same message both encrypted and unencrypted. Even so, it still seems like a simple fix and it's astonishing that it's been decades now...

If I may add my 2ct here: There should be (at least) two modes here: Opportunistic and strict. Where opportunistic encrypts mail, if possible. Strict does not send out any thing unencrypted.

We need this feature:
S/Mime: Standard encrypt Email - Better solution if recipient has no certificate (Great was: Encrypt if possible Add-On) an Error doesen't make sence. Better: Do you want to send the email uncrypted, the recipient has no Key. Better for my old mother and other no tech people. I found an S/Mime Key do you want to send email encrypt? The Add/On do that perfect but you change the API.

(In reply to Bob Nelson from comment #131)

Nobody has mentioned that TB has created a separate keyring, which is as backwards as FF trying to replace the system DNS resolver. The separate keyring functionality needs removed and it should use the system keyring. It's not noise Matt and this ticket is old enough to have protests in the street. Less than 5 lines of code would resolve most of the problem, this ticket isn't complicated, it's political. The EFF should get involved.

Please contribute to the discussion in that ticket. The current owner of the issue thinks it should not be fixed for reasons that have not been totally explained, and which I do not find reasonable.

(In reply to Ahmad Gharbeia from comment #136)

(In reply to Bob Nelson from comment #131)

Nobody has mentioned that TB has created a separate keyring, which is as backwards as FF trying to replace the system DNS resolver. The separate keyring functionality needs removed and it should use the system keyring. It's not noise Matt and this ticket is old enough to have protests in the street. Less than 5 lines of code would resolve most of the problem, this ticket isn't complicated, it's political. The EFF should get involved.

Please contribute to the discussion in that ticket. The current owner of the issue thinks it should not be fixed for reasons that have not been totally explained, and which I do not find reasonable.

The NSA spends millions of dollars per year specifically to corrupt "security by default" and their biggest enemy is PGP because it uses secure and quantum resistant RSA, so it's no coincidence that this ticket exists for a "security by default" problem in the most used PGP email implementation.

A similar "security by default" corruption was the multi-million dollar PR campaign to remove DHE from browsers because services started using custom generated parameters, which was replaced by ECC with unexplained fixed parameters and DUAL-EC-DRBG which has been confirmed to have an NSA backdoor. The internet is littered with government paid articles claiming ECC is more secure when all of the evidence says RSA/DHE is more secure and mathematically 521-bit ECC will be broken by quantum computers years before RSA-2048.

The explanation is an organized infiltration of OSS communities to weaken security standards.

sorry (digital security has a problem fine): But please use other plattforms to discuss that not a bug ticket. thanks. Otherwise nobody will implement that feature.

(In reply to berggeist01 from comment #138)

sorry (digital security has a problem fine): But please use other plattforms to discuss that not a bug ticket. thanks. Otherwise nobody will implement that feature.

I'm not discussing implementing a feature, my ticket was for an introduced security vulnerability related to an already existing feature which has been merged into this 19 year old "dump ticket" as a duplicate.

I add information related to other intentionally introduced security vulnerabilities because it links them together for future investigations, especially when a big company gets behind the accusation of NIST curves being backdoored, like when Microsoft got behind the accusation of DUAL EC DRBG being backdoored after 7 years of people drawing attention to it just like this.

If this isn't the correct ticket for this discussion then my merged defect ticket isn't a duplicate and needs reopened.

I think klaus.r (in comment #132 ) is right.
This option should be easy to implement:
For the start we just need a hidden config option (about:config) like "mail.openpgp.encryptWhenPossible".

  • If the setting for an account is set to "do not activate encryption by default", and a pgp key exists for the recipient, the Email will be encrypted.
  • If the setting for an account is set to "require encryption by default", and no pgp key exists for the recipient, the behaviour is as before: a warnig message will be displayed.

I need that feature for my "family". Default -> no encryption otherwise to many errors and handling problems. If encryption is possible ask user to encrypt this message or do it by default. Keep in mind it must work for sMime too (I use that for the family) family == no technical user. With the addOn encryption if possible it works perfect.

What do you mean with

the addOn encryption if possible

Is there an addOn, that already does that?

yes until the new API and now it is not possible any more. https://addons.thunderbird.net/de/thunderbird/addon/encrypt-if-possible/

During the past months, a group of Thunderbird developers and UI designers has spent a significant amount of time to discuss and plan improvements around the Thunderbird composer UI and its encryption settings. I want to inform you about a decision that is related to the enhancement request discussed in this bugzilla ticket.

We have come to the conclusion that we want the user to be in control, but that we want to make it as easy as possible for the user to control the encryption settings for an email.

Enabling or disabling encryption for an email should be a single click.
The toolbar should have a clear visual indicator, next to the "Send" button, whether encryption for this message is enabled or disabled.

If encryption is currently disabled for an individual message, Thunderbird should automatically check whether using encryption for the current message is possible (without further user action). The check should be automatically repeated on every change to the recipient list. If the check discovers that encryption is possible, because we have valid and accepted keys for every entry in the recipient list, then Thunderbird will show a clear notification, reminding the user about the possibility to enable encryption. If the user wants to use encryption, the user can click the control to enable encryption.

If encryption is turned on in the composer window for an individual message (either because you have enabled encryption for new messages by default, or you are replying to a message that was encrypted, or because the user has manually turned on encryption for the individual message), but it is impossible to encrypt, because for at least one recipient we don't have a valid and accepted key available, then Thunderbird will show a clear notification about this fact, and the notification will offer the user a path to discover how to resolve the problem.

In other words, the configuration options will remain limited to "encryption on" or "encryption off".

We do NOT want to implement a third option "automatically encrypt if possible". There have been suggestions to automatically enable encryption whenever it is possible, and automatically disable encryption as soon as encryption isn't possible. We have discussed this, but we consider it a risk.

We want to put the user in control, allow the user to control easily, and avoid surprising the user with unexpected behavior.

(In reply to Kai Engert (:KaiE:) from comment #145)

We do NOT want to implement a third option "automatically encrypt if possible".

... at least not at this time or in the immediate future.

Thank you for the detailed plan. Finally we can know what we can and can not expect from Thunderbird going forward. For me, this is a dealbreaker, unfortunately. This is just too complicated for me to constantly switch encryption on and off - even if it's just a single click. These clicks add up for every single mail when instead computers should be there to save us from useless repetitive work. Nevertheless I won't look back in anger. Thank you for a great piece of software which I happily used for over a decade. Time for something new, now. Bye.

(In reply to Kai Engert (:KaiE:) from comment #145)

During the past months, a group of Thunderbird developers and UI designers has spent a significant amount of time to discuss and plan improvements around the Thunderbird composer UI and its encryption settings. I want to inform you about a decision that is related to the enhancement request discussed in this bugzilla ticket.

We have come to the conclusion that we want the user to be in control, but that we want to make it as easy as possible for the user to control the encryption settings for an email.

Enabling or disabling encryption for an email should be a single click.
The toolbar should have a clear visual indicator, next to the "Send" button, whether encryption for this message is enabled or disabled.

If encryption is currently disabled for an individual message, Thunderbird should automatically check whether using encryption for the current message is possible (without further user action). The check should be automatically repeated on every change to the recipient list. If the check discovers that encryption is possible, because we have valid and accepted keys for every entry in the recipient list, then Thunderbird will show a clear notification, reminding the user about the possibility to enable encryption. If the user wants to use encryption, the user can click the control to enable encryption.

If encryption is turned on in the composer window for an individual message (either because you have enabled encryption for new messages by default, or you are replying to a message that was encrypted, or because the user has manually turned on encryption for the individual message), but it is impossible to encrypt, because for at least one recipient we don't have a valid and accepted key available, then Thunderbird will show a clear notification about this fact, and the notification will offer the user a path to discover how to resolve the problem.

In other words, the configuration options will remain limited to "encryption on" or "encryption off".

We do NOT want to implement a third option "automatically encrypt if possible". There have been suggestions to automatically enable encryption whenever it is possible, and automatically disable encryption as soon as encryption isn't possible. We have discussed this, but we consider it a risk.

We want to put the user in control, allow the user to control easily, and avoid surprising the user with unexpected behavior.

@Kai thank you for the feedback, the complete explanation and for all the people effort to design a good solution !

As for me and my teams, privacy coming first, it marks the end of Thunderbird as email client for us.
Good luck for the next step of this eMail client ! Thanks for all those years of services.

Thanks Kai for letting us know.
The design flaws of the current implementation make it hard for users to understand what is happening and what to do and make it too complicated to control, therefore it made sense to have automatic encryption.

Explained like this, it seems quite straightforward, but could you at least post a few screen shots with the new desing during the change, so that there is feedback from this community of passionate people before it’s too late again.

You mentioned encryption, but cryptographic signing should be managed the same way. However, encryption without signing shouldn’t be allowed, like other software already do (the reasons are explained here https://k9mail.app/2017/01/30/OpenPGP-Considerations-Part-II.html)

I agree that encryption (or even signing) shouldn’t be disabled automatically without the user being able to make a decision. That is a risk indeed.

What will happen with the surrogate openpgp-alias-rules.json as described in bug https://bugzilla.mozilla.org/show_bug.cgi?id=1644085 ?

May I let you know that there are instances when the encryption or signing appear or disappear randomly, which should be mended as well: see bug https://bugzilla.mozilla.org/show_bug.cgi?id=1744835

This would also help make the one click interaction design simpler: https://bugzilla.mozilla.org/show_bug.cgi?id=1744757

And other annoying PGP bugs
https://bugzilla.mozilla.org/show_bug.cgi?id=1743690
https://bugzilla.mozilla.org/show_bug.cgi?id=1656670

That is the reason, why I must find a better solution for my whole family. bye bye thunderbird. I never understand, why it is not possible to implement a self configurable option. I work in the IT security more than 25 years. that behavior is the reason, why email encrypt is not mainstream. I believe what is better for people, close AddOn options with a new API and at the end after 20 years software is less helpful than before, unbelievable.

What is so difficult about an option "Would you like to be informed when you can send an encrypted e-mail? Yes / no / automatically"
yes >> You can encrypt the email. Send encrypted or unencrypted?
auto works automatically.
As an option - standard off. But you change the API and say, "Please explain to an 80 year old woman you have to select encryption before emailing me" >> Great job - user centered - agile focus on user and so on totally crazy.

But unfortunately that is normal, I see this behavior all day and then the companies wonder why more and more their software .... find it and it doesn't work.

It’s time to start contacting organizations who fund Mozilla and demand that they cut funding until Mozilla purges the NSA linked bad actors.

This isn’t the only ticket where they’ve intentionally removed preexisting security features, claimed it’s a “feature” to re-add the removed features, and let the ticket sit for years (some 19 years) but never do anything with it.

I won’t trust Mozilla again until they re-add DHE, HPKP, TLS Session Binding, and this ticket.

(In reply to Kai Engert (:KaiE:) from comment #145)

If encryption is turned on in the composer window for an individual message (either because you have enabled encryption for new messages by default, or you are replying to a message that was encrypted, or because the user has manually turned on encryption for the individual message), but it is impossible to encrypt, because for at least one recipient we don't have a valid and accepted key available, then Thunderbird will show a clear notification about this fact, and the notification will offer the user a path to discover how to resolve the problem.

Can you give a bit more detail about the "clear notification" when encryption is enabled (by default) but impossible? - I hope there is no messing around with disabling the send-Button. That would be cumbersome.
Maybe some kind of Popup, before sending? ("Encryption not possible, because of missing key for a, b, c." "Send unencrypted"/"Abort" - And maybe a third button: "Send encrypted to all possible recipients."?)

In other words, the configuration options will remain limited to "encryption on" or "encryption off".

We do NOT want to implement a third option "automatically encrypt if possible". There have been suggestions to automatically enable encryption whenever it is possible, and automatically disable encryption as soon as encryption isn't possible. We have discussed this, but we consider it a risk.

We want to put the user in control, allow the user to control easily, and avoid surprising the user with unexpected behavior.

About "user in control": At least a part of the users (already the 81 here - CC-Size of this Bug), want control in that way, that they can say Thunderbird: "Whenever I have the needed Keys, encrypt my messages." - In their situation, that's exactly the expected behavior.

I agree to the Risk of accidentally send sensitive information unencrypted. But in my opinion this consideration (vs. the risk of sending everything unencrypted - including possible sensitive information, because of "encryption is too cumbersome") can't be solved globally. The option "send encrypted if possible" is requested and imho it should be made available, at least to users that are able to use about:config.

(In reply to maison from comment #149)

However, encryption without signing shouldn’t be allowed, like other software already do (the reasons are explained here https://k9mail.app/2017/01/30/OpenPGP-Considerations-Part-II.html)

I absolutely disagree on that opinion.
The behavior described on the link doesn't convince me in any way. They write, in their client an encrypted but unsigned mail looks less secure than a plaintext mail. Well observed, but the problem isn't the encrypted-only mail, it's their decision to place a fullscreen warning on such mails. Is that some kind of joke?
The Enigmail styling looks absolutely fine for me: A pale information, that the mail was decrypted/is encrypted. No green sign, or anything else misleading towards authentication of the sender.

(In reply to deep_blue_ from comment #148)

As for me and my teams, privacy coming first,

If you argue about privacy, you should be worried about losing your
privacy accidentally. With an automatic behavior, you cannot rely on having
encryption in place.

I would like to share arguments to support the plan from comment 145.

I think it is very important that the user knows what will happen on send,
prior to hitting send.

With old Enigmail I remember that I saw the following behavior:

  • I started to compose an email, and typed the first recipient.
  • I saw that the user interface showed the icon for "encryption on",
    and I felt reassured, because that was what I wanted.
  • I typed the email
  • I added another recipient
  • I didn't look at the message status agin, I was convinced that encryption
    was turned on
  • However, I didn't have a key for the other recipient
  • When I hit send, the message was sent without encryption,
    and when I found out, I was very unhappy.

I later tried to reproduce the scenario. At the time that
I entered the additional recipient, the UI element switched to "encryption off".
But I didn't notice when I was typing the message.

The problem with that UI was, shared controls were used for
"what does the user want" and "what is possible".

In my opinion, to avoid the confusion that I ran into, an implementation would
have to use separate UI elements for "what does the user want" (e.g. a three
state button being either "off" or "on" or "decide automatically"), and
"what is possible".

With an UI like that, at the time I checked the message settings, I would have
seen that the current setting was "encryption setting: decide automatically"
and would have gotten a current feedback item like
"it is possible to encrypt to this list of recipients".

Because I really wanted that email to be encrypted, I could have changed to
"encryption setting: on (required)" and it would have prevented
me from sending without encryption after adding the additional recipient.

I think the above would require us to reserve a lot of space for these
two UI elements, I think it would have to be done with text explanations
to ensure it can be understood well by the user.

(Remember, we need to implement a UI that works for users who don't
have a deep understanding of email encryption.)

If there was agreement to use a sufficient amount of space for the UI
elements, the above would be possible, but it might not look pretty.
(We'd have to find a way to make the UI still be acceptable for users who
don't use email encryption, i.e. don't reserve too much space.)

Let's look at another example.

Alice and Bob have exchanged keys once. Alice once configured the setting
"encrypt if possible". Alice sends emails to Bob. The mail client automatically
enables encryption. Bob receives encrypted email, and all is well.
Now, Bob's key expired. Bob didn't extend the key, or didn't send it to Alice.
Alice composes an email to Bob, and because Bob's key is no longer valid,
she sends an unencrypted email. Alice didn't even notice, because the user
interface didn't clearly warn her about it.

I think this is a good argument for not simply making automatic decisions in the
background. At the very least, a strong UI feedback would be necessary to remind
Alice that the message cannot be encrypted (contrary to her assumption).

You could argue that Alice might not care, because she has once enabled "encrypt
if possible". But is she fully aware of the consequences? Maybe someone else
helped her to set it up once. Or she simply gotten used to the fact that
encryption with Bob is on, and she relies on that, without being aware of the
setting that may disable encryption at any time.

A user interface like the one I described above (separate "want" and "can")
would be necessary to clearly inform Alice that encryption currently isn't
possible, and the message will be sent without encryption.

Requiring the user to manually switch between encryption and encryption off
avoids the risk that the user doesn't notice and that the message is sent
incorrectly.

There has also been the suggestion to use a prompt at send time, that tells
the user whether the message will be encrypted or not, and asks the user to
confirm. But I think these prompts aren't sufficiently helpful. With muscle
memory, it's easy to accidentally press enter again to confirm such
a prompt, without having read it.

My point is, an encryption of "implement if possible" has risks, and it would
require a complex UI to avoid confusion.

It seems like a helpful improvement to start by giving good feedback to the
user, that will say what's possible or what's wrong with the current encryption
setting.

We're currently hoping that the intended implementation will be sufficiently
clear and simple, and that it will make it unnecessary to implement
"encrypt if possible".

Once we have reached that milestone, if there's still a desire for an
encrypt if possible mode, we can potentially revisit the idea.

If you want to make sure encryption is in place, you need a flag in your address book that says "this recipient should always be encrypted" so it can pop up a warning if the key is missing or expired.

You never want to send the same message both encrypted and unencrypted - it needs to be all or nothing.

(In reply to Kai Engert (:KaiE:) from comment #156)

I would like to share arguments to support the plan from comment 145.
[...]

Thanks a lot for all the effort spent in the discussions and explaining this in detail!

(In reply to tkitt from comment #153)

About "user in control": At least a part of the users (already the 81 here - CC-Size of this Bug), want control in that way, that they can say Thunderbird: "Whenever I have the needed Keys, encrypt my messages." - In their situation, that's exactly the expected behavior.

I agree to the Risk of accidentally send sensitive information unencrypted. But in my opinion this consideration (vs. the risk of sending everything unencrypted - including possible sensitive information, because of "encryption is too cumbersome") can't be solved globally. The option "send encrypted if possible" is requested and imho it should be made available, at least to users that are able to use about:config.

I completely agree with this.

(In reply to Kai Engert (:KaiE:) from comment #156)

In my opinion, to avoid the confusion that I ran into, an implementation would
have to use separate UI elements for "what does the user want" (e.g. a three
state button being either "off" or "on" or "decide automatically"), and
"what is possible".
[...]

If you think adding an "Encryption if possible" option would require that, I'd much prefer those extra UI elements to not having an "Encryption if possible" option at all. I personally don't see this as absolutely necessary, since users who select that "Encryption if possible" option have to do so explicitly, and maybe another option would be to show a huge warning sign in the options when doing so, explaining why this is "dangerous"?

We're currently hoping that the intended implementation will be sufficiently
clear and simple, and that it will make it unnecessary to implement
"encrypt if possible".

Once we have reached that milestone, if there's still a desire for an
encrypt if possible mode, we can potentially revisit the idea.

I'm happy to try this out once it's there, but I'm sceptical. So far, the missing "Encryption if possible" option has been what has bothered me most since the Thunderbird 78 upgrade that made Enigmail non-working. For me a "It may come back, we just didn't have the time to implement it yet" perspective was more motivating to wait than "We don't want to have it back". So personally, I'm at least considering to try out alternative email clients (like KMail, which has a "Encrypt whenever encryption is possible") in the meantime as well.

The whole point is paternalism.

They say what is good for us users and what we don't want you to allow stupid users to do.

Your arguments (on safety) and ours (on usage) are both correct.

The point is that everyone has to decide for themselves. It's like a corona vaccination. Everyone can decide for themselves. But for that there has to be an option.

Conclusion: Install the option and, if in doubt, knowingly activate it via about: Config and everyone would be very happy. Bissel maybe even build in more configuration options -> everyone can do it as they want. If you hack the Thunderbird settings, you will be able to read the email even after it is decrypted. Why do we talk here as long as politicians? Let's just implement it and the citizen decides for himself which option he wants to use. DEFAULT-off

E.g. I do not need an automatic I need a semi-automatic with a note when sending an email: You can send encrypted, if you want yes / no.

(In reply to berggeist01 from comment #159)

The whole point is paternalism.

They say what is good for us users and what we don't want you to allow stupid users to do.

Your arguments (on safety) and ours (on usage) are both correct.

The point is that everyone has to decide for themselves. It's like a corona vaccination. Everyone can decide for themselves. But for that there has to be an option.

Conclusion: Install the option and, if in doubt, knowingly activate it via about: Config and everyone would be very happy. Bissel maybe even build in more configuration options -> everyone can do it as they want. If you hack the Thunderbird settings, you will be able to read the email even after it is decrypted. Why do we talk here as long as politicians? Let's just implement it and the citizen decides for himself which option he wants to use. DEFAULT-off

E.g. I do not need an automatic I need a semi-automatic with a note when sending an email: You can send encrypted, if you want yes / no.

why is that way not possible?

(In reply to Kai Engert (:KaiE:) from comment #156)

I would like to share arguments to support the plan from comment 145.

I think it is very important that the user knows what will happen on send,
prior to hitting send.

With old Enigmail I remember that I saw the following behavior:

  • I started to compose an email, and typed the first recipient.
  • I saw that the user interface showed the icon for "encryption on",
    and I felt reassured, because that was what I wanted.
  • I typed the email
  • I added another recipient
  • I didn't look at the message status agin, I was convinced that encryption
    was turned on
  • However, I didn't have a key for the other recipient
  • When I hit send, the message was sent without encryption,
    and when I found out, I was very unhappy.

The old Enigmail, has an option, to show confirmation dialoge windows with info: send OpenPGP/S-MIME + signed/not signed + encrypted/unencrypted - Do you want to send ?

look at this screen of enigmail setting: https://www.enigmail.net/documentation/5-02-1.9.png

(In reply to berggeist01 from comment #159)

E.g. I do not need an automatic I need a semi-automatic with a note when sending an email: You can send encrypted, if you want yes / no.

This is basically the plan for how it will work yes (with a notification bar, not confirm dialog). Like Kai wrote, we hope that the implementation will be easy/clear enough that there is no need for automatics. Yes, it will be one click more for some situations. I think that is a reasonable weigh-off though.

(In reply to berggeist01 from comment #151)

As an option - standard off. But you change the API and say, "Please explain to an 80 year old woman you have to select encryption before emailing me"

With what we plan you would not have to do that. If you want her to use encryption, you set up to use encryption. She would have to click a button in a notification if she wishes to NOT use encryption for that email.

I am excited.

Sorry, then my misunderstanding is due to my poor English.

My family members (the normal user) just need to see it and be asked to take action.

I still think that if you want it automatically, you should get it. I think in the end you could even make 2 e-mails out of it, if the e-mail cannot be encrypted because of a recipient (incl. Warning & option :))

(In reply to Magnus Melin [:mkmelin] from comment #163)

(In reply to berggeist01 from comment #151)

As an option - standard off. But you change the API and say, "Please explain to an 80 year old woman you have to select encryption before emailing me"

With what we plan you would not have to do that. If you want her to use encryption, you set up to use encryption. She would have to click a button in a notification if she wishes to NOT use encryption for that email.

Most people don't have encryption. My mom would get a "Cannot send error message" if the encryption is standard. She never understood that. She never finds a deactivation, and she thinks she can't send emails. And I have the next service call :)

We'll add a key assistant to guide the user through sending if there is trouble.
I think we should also guide the user through setting up their own keys in the first place - but that is for some other bug.

Dear Kai,
thanks for the explanation, and I hope this clarification/simplification will speed up (TB 103?) the implementation of the improved UX/workflow to send unencrypted emails with "require encryption by default": something that was already implemented for years in enigmail, see comment 161 https://bugzilla.mozilla.org/show_bug.cgi?id=135636#c161). I think its very important to note how challenging the everyday use (not setup!) of encryption is for normal users: if an email cannot be sent because of missing/expired key, a lot of people will think they have a mailserver problem (see comment 165 https://bugzilla.mozilla.org/show_bug.cgi?id=135636#c165), and this will cause frustration on both ends (user + IT personnel). But it seems this will be fixed now, thanks!

Can it be assured that the openpgp-alias functionality will stay: https://bugzilla.mozilla.org/show_bug.cgi?id=1644085 (?)

It would be great if encryption settings during composing would be available via an API, so a "encrypt if possible" would be an option after all via an addon. BTW: protonmail silently sends encrypted/unencrypted messages with one click of the send-button, with not even a warning. I'm not agreeing with this behaviour myself, but it may give an indication how much one of the more secure email providers (I would say) compromises security in favor of workflow/usability.

(In reply to Kai Engert (:KaiE:) from comment #155)

(In reply to deep_blue_ from comment #148)

As for me and my teams, privacy coming first,

If you argue about privacy, you should be worried about losing your
privacy accidentally. With an automatic behavior, you cannot rely on having
encryption in place.

Not only my privacy. Privacy of my teams.

Most of our external contact do not use pgp. My Teamates are awesome but most of them won't accept or bother to click on 80 percent of their mail to acknowledge that it won't be encrypted.

In UX point of view the implementation you want to set up add a quasi systematic click. Which add a huge usage cost on one of the primary feature of a mail client, in fact it double it as we pass from a simple click to 2 in most cases. I'm pretty sure it won't help to democratize pgp feature.

In my case I send around fifty mail a day. around 30 can't be ciphered. With your implementation it means it add 30 popup and 30 click to do what I want. If you look at KMAIL it propose different behavior from automatic to ask anytime, letsencrypt extension let you do the same.

Just to be clear, I'm nobody to say that you should implement it this way or another. I'm just saying for my philosophy and usage the orientation of Thunderbird is not the good one for my personal use. I'm pretty sure that not even 1% of the user use pgp en half of them don't bother to understand how it to work and pick up a random mail provider such as protonMail.

Beside the usage cost. I think Mail client nowadays should focus on democratizing privacy technology. Democratization come with easiness not difficulties. Ones again it's just a personal opinion from a simple user..

(In reply to tkitt from comment #154)

(In reply to maison from comment #149)

However, encryption without signing shouldn’t be allowed, like other software already do (the reasons are explained here https://k9mail.app/2017/01/30/OpenPGP-Considerations-Part-II.html)

I absolutely disagree on that opinion.
The behavior described on the link doesn't convince me in any way. They write, in their client an encrypted but unsigned mail looks less secure than a plaintext mail. Well observed, but the problem isn't the encrypted-only mail, it's their decision to place a fullscreen warning on such mails. Is that some kind of joke?
The Enigmail styling looks absolutely fine for me: A pale information, that the mail was decrypted/is encrypted. No green sign, or anything else misleading towards authentication of the sender.

This thread is about email compose and there is absolutely no logical or cryptological reason to send encrypted email without signing.
What you are describing is different. Of course if other software still sends encrypted and not signed email, you receive it and you have to do something about it. How to present it is a different debate which can be done on another thread.

(In reply to Kai Engert (:KaiE:) from comment #145)

Thanks, for the explanation, and for everyone's effort to discuss it and their attempt at improvement.

I find the solution you propose acceptable.

Silently encrypting only to a subset of recipients but not others is not a sound practice, leading to a false sense of security, because the same message which is believed to warrant encryption will still be sent on the wire unencrypted, thus defying the aim of encryption. The message is -- generally -- the determinant here, not the recipient.

It could be argued that each recipient's threat analysis could dictate different choices in regard to encryption, even when the message is the same, for example when one recipient is in political/legal environment where certain communications could criminalise them but not the sender or other recipients. However, approaching the complexity of cases such as these can be left to supplementary implementations, i.e. extensions, the likes of which did exist for previous versions of Thunderbird/Enigmail. So the proper thing to ask for here is a good API that would allow others to build such more complex and customisable functionality on top of this most likely use-case.

(In reply to maison from comment #169)

How to present it is a different debate which can be done on another thread.

You are right, sorry for my little rant. It was just the most obvious point in the linked article and the one that raged me a bit.

[...] there is absolutely no logical or cryptological reason to send encrypted email without signing.

As stated above, I disagree. - Signing and encryption are measures to reach different security goals.

The primary security property reached by encryption is confidentiality. The primary security property reached with asymetric signatures is non-repudiation.
I know authenticated encryption is a good thing, some nice CCA-Proofs and so on. But authenticated encryption regularly is achieved via symmetric signatures (linke AEAD), because they give authentication but not non-repudiation/ don't deny "plausible deniability".

In the article they neglect the possibility of plausible deniability by making assumptions about the environment. While these assumptions are an option to decide which default settings to choose, this is imho no valid option when deciding which things to allow at all, because they are what they are - assumptions. And assumptions could, but don't have to be true - especially not always.
(And yes, in most cases I argue against reducing configuration options, and enforcing to do things, like the developer think, they are right. - Haven't found any better translation for the term that comes to my mind in these situations: "bevormunden".
And especially in this case, on top, it would be a regression, too.)

(Sorry for the a bit poor language quality. While writing I got some ideas regarding actual limits of my English language skills... I hope it's comprehensible.)

Regarding the discussion to encrypt without signing.

We don't need to discuss this in this ticket. We already support it, and currently we don't intend to remove this functionality. Each of signing and encryption can be separately used, or both, or none.

We think that there is value in enabling signing whenever you encrypt, that's why we automatically enable it for an individual message, if you enable encryption. However, we don't enforce it, and you can always manually disable signing.

I'm very disappointed by this decision and as it looks like a lot of people are too. Why can't the developers acknowledge that there are use cases where "encrypt if possible" is the desired and needed option. Instead they're constructing cases where the user makes an error and then decide that nobody should have this option because of that. If you want to avoid user errors, have a clear indicator next to the "To" field with the status of the email encryption with green and red colours. At the moment it's "hidden away" grey on grey in the far right corner of the status bar.

Other email clients/plugins like K-9 Mail, PGP4Win (GPGOL) and Thunderbird <78 have the option to auto encrypt. Have a read how K-9 handles it.

https://k9mail.app/2018/02/26/OpenPGP-Considerations-Part-III-Autocrypt.html

If you think "encrypt if possible" is unsafe, just don't use that option for yourself. But don't make this decision for other users. If you wish, hide that option from the average user or have a big warning sign next to it.

If you stand by your decision, most users who use TB with encryption will have only 2 options, either stay with TB 68 or use another email client.

Let me know write about my use case which worked for many years until you broke it in two ways. I administer an office with about 20 users. All emails between these users should be encrypted. External emails are usually not encrypted, apart from emails to the accountant. I, as admin, set up all keys for the users and store all public keys in a read-only share. When the user logs in, all public keys get imported into the user's key ring. This way new keys will get populated automatically without user intervention. Now you broke this workflow too by using your own key store without providing tools to automatically import new public keys. All users know that all internal email is encrypted by default. Now I can't use this option anymore without requiring a degree in computer science from my users.

(In reply to Kai Engert (:KaiE:) from comment #172)

Regarding the discussion to encrypt without signing.

We don't need to discuss this in this ticket. We already support it, and currently we don't intend to remove this functionality. Each of signing and encryption can be separately used, or both, or none.

We think that there is value in enabling signing whenever you encrypt, that's why we automatically enable it for an individual message, if you enable encryption. However, we don't enforce it, and you can always manually disable signing.

Well, only in theory. Currently TB forgets the sign settings and it can send email the wrong way without user notice: see the case study in bug https://bugzilla.mozilla.org/show_bug.cgi?id=1744835 It happened to me that unsigned email was sent several times in spite of the identity requiring it. In this regard the automatic signature joins the current debate: if your settings require a signature, but it can’t be provided, then the user should be warned as well and offered to remedy it.

(In reply to mozilla.org from comment #173)

I administer an office with about 20 users. All emails between these users should be encrypted. External emails are usually not encrypted, apart from emails to the accountant.

Alice and Bob work at your company. Charlies is not a member of your group.

Alice sends an email to Bob. In your setup, the email is encrypted. Bob reads the email. Bob clicks reply, which will quote the original email. Bob decides to CC Charlie, because he thinks the information may be useful to him.

In your setup, the encryption for the message is automatically and silently disabled, because there is no public key for Charlie. The previously exchanged message is now sent in plain text, including Bob's reply.

It sounds very risky to me to break the assumption that internal email is encrypted, simply by adding another recipient.

With the UI we're suggesting to implement, we'd show a warning that encryption isn't possible. It would require Bob to think about the contents of the email, and whether it really should be sent to Charlie without encryption.

TL;DR: Please spare me any extra click for encryption.

I can understand the developers latest decision from a fundamentalist point of view. However, on the long term, it won't benefit proliferation of e2e encryption in emails -- and thus I can understand why some think this is intentional, given the hassles of operating encryption in TB in recent versions. (I still find myself checking in the options menu and do up to four clicks to select the correct encryption setting... I know there are two rather unimposing icons in the status bar but never got used to look there first as this would be an additional step. It really would help me if the send button had a green padlock or certificate icon.)

I'm extremely unhappy with the situation a.t.m. and I'm curious about the planned GUI and how it will work out for me.

If this is really about space, remove the security button and move it left next to the send button, naming it 'send encrypted' (maybe with a drop-down 'send encrypted and unsigned' + 'unencrypted but signed') and show it only if encryption is possible. If the accounts default is 'encrypt', change the send button to 'send unencrypted' to make it clear.

Alice sends an email to Bob. In your setup, the email is encrypted. Bob reads the email. Bob clicks reply, which will quote the original email. Bob decides to CC Charlie, because he thinks the information may be useful to him.

In your setup, the encryption for the message is automatically and silently disabled, because there is no public key for Charlie. The previously exchanged message is now sent in plain text, including Bob's reply.

"Unencrypted quote-reply to encrypted message" is a separate issue. Replies to encrypted messages MUST be encrypted by default regardless of whether a global "encrypt where possible" feature is implemented.

I propose a compromise: that the encrypted/unencrypted state change should be asymmetric. If an MUA decides that encryption is possible, it MAY enable encryption without prompting the user, so long as it indicates this state change clearly in the UI. If the MUA later decides (e.g. if another recipient has been added) that encryption will no longer be possible, it MUST prompt the user to choose a resolution. This way, upgrades are smooth and downgrades are noisy.

(In reply to Kai Engert (:KaiE:) from comment #175)

Alice and Bob work at your company. Charlies is not a member of your group.

Alice sends an email to Bob. In your setup, the email is encrypted. Bob reads the email. Bob clicks reply, which will quote the original email. Bob decides to CC Charlie, because he thinks the information may be useful to him.

In your setup, the encryption for the message is automatically and silently disabled, because there is no public key for Charlie. The previously exchanged message is now sent in plain text, including Bob's reply.

In our setup Charlie will be also one of the 20 internal users. We don't CC external parties. When we email external parties, then these emails contain only this one address in the To header.

It sounds very risky to me to break the assumption that internal email is encrypted, simply by adding another recipient.

See above and that's why there should be a visible (red) indicator, if the encryption status changes to unencrypted for any reason.

With the UI we're suggesting to implement, we'd show a warning that encryption isn't possible. It would require Bob to think about the contents of the email, and whether it really should be sent to Charlie without encryption.

I guess we need to see what you mean by a "notification will offer the user a path to discover how to resolve the problem". If it's a red indicator near the send button or the To field, that would be fine. If it's a popup "Do you want to send this email without encryption" with a OK button, then it might be ok. Anything more than this with several clicks and changing some settings which the average user won't understand is not ok.

(In reply to Kai Engert (:KaiE:) from comment #175)

Alice sends an email to Bob. In your setup, the email is encrypted. Bob reads the email. Bob clicks reply, which will quote the original email. Bob decides to CC Charlie, because he thinks the information may be useful to him.

In your setup, the encryption for the message is automatically and silently disabled, because there is no public key for Charlie. The previously exchanged message is now sent in plain text, including Bob's reply.

You can't control what a recipient does with a message - Bob could just as easily have forwarded it to Charlie. You are inherently trusting the recipient when you send them a message.

The solution proposed in https://bugzilla.mozilla.org/show_bug.cgi?id=135636#c145 would already be a huge improvement, so thanks for giving it some thought! What would be more useful than a bunch of people figuring out the supposedly best solution based on their old habits would be to actually implement a prototype, do some user testing with that, and then improve things incrementally based on the observations of that user testing. Having actual people test prototypes is the only thing that will help developers understand how users interact with a graphical interface, which is often quite different from how they imagined it would be used. Thanks for your work!

Which problem are we trying to solve

  1. Make it easy for the 1% of power users to use encryption safely in Thunderbird?
  2. Get the 99% of users who do not use encryption to start using encryption?

I want to solve question #2. For these users, convenience always wins over privacy/security. We should compare no encryption, which is what they use today, with automatically encrypt when possible. For these users, nothing is less safe/private than what they do today.
One extra click or sometimes a different behavior will put them back in to 'never use encryption'.
I have gotten my 80-year grandmother to use VPN because nothing changes for her. Email encryption with Thunderbird is not even close.

I and all the users in this thread can do encryption with or without Thunderbird but are we designing for the existing users of encryption (us) or the untaped 99% of the market?

Regards, Hagar

Thanks so much @hagar and @kai for the hard work and for providing us an update.

My use case, which I believe is at the core of this ticket: I frequently email family and non-family.

  1. When family emails each other, we want encryption to be automatic and impossible to get wrong. No dialog boxes, no checking of indicators, no having to remember to click on something. Anything but this risks sending an unencrypted email.

  2. If I cc other people, I need a warning.

  3. If I mail non-family, no encryption. No dialog box, no clicking anything.

This way I can send emails all day, every day, and not have to think or perform extra steps. And I can't make a mistake.

Can you confirm this behavior will be possible with your changes or that a plugin will be able to implement it?

(Other readers: What client have you switched to that allows this?)

Thanks for the update, Kai.

I'd be happy if the proposed solution would suffice, but I'm convinced, that the psychic effort of a click each mail is the actual problem here. Imagine, one day your favorite e2e encrypted chat messenger starts to expect you to activate encryption for each message. This is, what Thunderbird feels like since the upgrade and this won't change, until it works without that click.

It worked perfectly fine with enigmail for years. Neither I nor the people I taught mail encryption had any serious problems. I can't remember to send or receive any accidentally unencrypted mail ever. If you had higher security requirements, it was easily possible to choose the "always encrypt" option, so you could be really sure that no information is leaked. This could still be the default setting to reach your goal of security by default, even if "encrypt if possible" is offered as another choice. With regards to that I don't get the "we want the user to be in control" part to be honest. I think, there's a reasonably save way to implement "encrypt if possible", which does neither violate the user expectations nor put them at risk. At the risk of repeating, what others brought up so far and essentially describing, how enigmail worked - with some tweaks - I want to address your concerns on the basis of the former working solution.

With respect to the distinction of the indicators for "want/can encrypt" i differentiate between "want encrypt" and "will encrypt":

  • The "want" state could be determined once in the settings as default (maybe offered as wizard on first keypair generation and maybe additionally overwritable per mail in the current dropdown), which frames the user expectation with the choices
    • No encryption
    • Encrypt if possible
    • Force encryption
  • The "will" state - indicating if it will be effectively encrypted (on) or not (off) - should be placed as prominent indicator icon with intuitive feedback (like green/red). It should be possible to check the state with one glance before sending and to be sure, that the indicated action will be performed. Clicking on this indicator will switch between forced encrypted (on state) or forced unencrypted (off state) sending (so there is no way back to encrypt if possible, which is ok, as user interaction means, that some behavior should be enforced). Maybe some additional Icon hint could be added to see, if the choice is made automatically, which would vanish on the first manual interaction (like a star in the corner or a border color). On mouseover, additional information could be provided, why some state was chosen ("manually switched on/off", "key for X missing/expired/revoked"). To address your concerns about missing the state change, when the recipient list is changed, an Icon/Color/Bordercolor could be added to the recipient itself. Another way to mitigate this would be an optional additional dialog to confirm the state, as enigmail offered it with a checkbox in the settings to activate the confirmation. In my experience the dialog is not needed, if the indicator is good enough.

There would be no need to place another want indicator on a prominent place, as

  • users with No encryption setting don't expect mails to be encrypted, but could turn it on for each mail via the will indicator
  • users with Encrypt if possible setting expect it to work out of the box, can check the effective state with a glance, and can enforce encryption on demand with one click (this would be the same user effort and outcome as in your current plans) or deactivate encryption with two clicks on the will indicator
  • users with Force encryption setting expect all mails to be encrypted, but could turn it off for each mail via the will indicator

Addressing your further remarks about breaking the user expectation, there are two cases which should be handled differently:

  • New mail / Reply to unencrypted mail (upgrading to encryption should never hurt)
    • No encryption: Nothing to do
    • Encrypt if possible
      • On recipient change: Update will indicator (maybe recipient indicator), on if keys exist for all recipient emails, off otherwise
      • On send: Provide resolution path if some key is expired/revoked, send encrypted mail otherwise
    • Force encryption:
      • On send: Provide resolution path if some key is missing/expired/revoked, send encrypted mail otherwise
  • Reply to encrypted mail: Never downgrade to unencrypted. Provide resolution path, if some key is missing/expired/revoked, send encrypted mail otherwise

The resolution path could include the options:

  • try an update of the key via WKD / PKI
  • choose a key manually for each missing/expired/revoked key (a big enhancement here would be instructions, what to to - in my experience key expiration is the most confusing part for non-technical users some years after the workshop)
  • send unencrypted

As far as i can tell, all of your concerns should be addressed with this approach. People with higher security standards could keep the default force encryption setting. The user expectations for the encrypt if possible are met in a save way, as replies to encrypted mails and all mails to recipients with expired/revoked keys never downgrade silently but lead to one general resolution dialog instead (where it could be sent unencrypted with one click). It would work perfectly well with your current plans of one prominent indicator and resolution path without additional UI changes. Am I missing something?

I also want to emphasize, that simplicity is the key to scale mail e2e encryption beyond the group of technical experienced people and firmly believe, that the option encrypt if possible will do way more good than harm. Please reconsider your decision and enable the user to choose a mostly frictionless encryption mode, which already has proven to work for years.

IMHO your threat models are wrong.

Doing proper security is first having a proper threat model (= what are the most likely attackers and flaws). A good part of this issue at stake seems to revolve around the fact that threat models appear to be wrong.

1/ The idea of never sending both encrypted and unencrypted relies on the hypothesis of an omniscient attacker, like a powerful state spying on people. It's a common scenario, but far from the only one. Your company, tech-savvy revengeful roommate, local restaurant with poor Wifi+poor server TLS... there are many credible scenarios without an omniscient attacker. If your recipient with encryption is the only possible victim amongst other recipients, it makes sense to still send it (now it gets trickier in multi-party discussions, but for a one-time send esp. Bcc the point is obvious) . In fact, even if you don't know who are the most likely victims, it still makes more sense to encrypt some than to encrypt none, statistically. Not to mention, of course, getting e2ee to the general public.

2/ The idea of never sending unsigned encrypted messages is a good one in theory, but relies on the hypothesis of an active attacker (= that can modify content). Same as previous point : it's common, but far from the only one. There are many (more) passive attacks, and if you consider the ergonomy problems we're having regarding encryption, you know you WILL find yourself in situations where you NEED to send an email immediately, but have no private key on the current computer for some reason. Better to send it encrypted than not encrypted at all : for all you know, the attacker may not be more than passive, and you can still confirm with your recipient via other channel that it's unsigned. STILL better than unencrypted.

There definitely IS value in not having all settings at mandatory maximum security all the time. All I'm saying is "false sense of security" can't be an excuse for everything. Case in point : it has lead to less security.

As for the GUI : it seems to me the encryption state (encrypted, signed, both or none) in the context of encrypt-if-possible CAN be displayed per recipient easily, in the autocomplete field. Look at how Vuetify does it : https://vuetifyjs.com/en/components/autocompletes/#item-and-selection

You shouldn't shy away from using colors, icons, and maybe tooltip for a full user help.

(Sorry I didn't mean to teach you security, more like get the point across for all participants)

If I may reformulate : you need a better UI to dissipate the false sense of security & clarify the situtation before sending, not block the feature (nor hide it behind dialogs). Thank you.

(In reply to damien.d from comment #184)

IMHO your threat models are wrong...

  • 1

Not sure why my plus 1 did not show properly +1

Now, the current mode is still relevant for a minority of people who really can't afford a mistake (but this means they can afford to read the guide and take proper precautions). Maybe that can be present but disabled by default ? Thanks again.

Email use on Thunderbird, I'm sure, will be on average less secure because of this regression: now you have to choose between "all encrypted" and "never encrypted", and if you choose "all encrypted", then you have to lose three seconds per email sent on average, because most sent email is unencrypted. So anyone will end up going "never encrypted" and then forget to encrypt.

Thus it is a regression from the former behaviour of Thunderbird (with Enigmail), even though I acknowledge the fact the latter was not perfect, however it worked better on average. To want a UI experience 100% perfect, you need to overhaul everything, I understand, but meanwhile you'll have thousands of people deactivating encryption because it is too much a hassle.

This regression is equivalent to put up a new notification after an upgrade that reads “now encryption is very difficult to use, would you like us to deactivate it for you?”

+1

(In reply to nucleos from comment #190)

... but meanwhile you'll have thousands of people deactivating encryption because it is too much a hassle.

... or not updating and staying with 68.x where everything works as it should.

How can this be a problem 20 years later??? wtf

I just sent an email and forgot to encrypt it, found my way here trying to find out why a email cannot automatically select encrypted where a key exists for the destination address, or a flag in the address book to always encrypt for this address.

How on earth does this problem exist so long, I'm shocked at the 20 year age of this bug.

You guys have a fantastic product, and a tremendous thank you is in order, but please at the very least put a check box in the address book for always encrypt this address.
It appears that Thunderbird already peeks into the address book for the Prefers message format (Unknown, HTML, Plain text), just stick a check box under there for "Always Encrypt messages" or (Yes/No)

I'd say it's time to wrap this one up, please give it consideration.

Bless you all and Thank you;

(In reply to George from comment #195)

I just sent an email and forgot to encrypt it,

While we're not yet ready to provide automatic encryption, we'll try to add a reminder, shown in that situation, in bug 1771122.

I'll also land a few strings here, that we could potentially need later.

Assignee: nobody → kaie
Status: NEW → ASSIGNED

(In reply to Kai Engert (:KaiE:) from comment #196)

(In reply to George from comment #195)

I just sent an email and forgot to encrypt it,

While we're not yet ready to provide automatic encryption, we'll try to add a reminder, shown in that situation, in bug 1771122.

I'll also land a few strings here, that we could potentially need later.

Bless you, that would be fantastic.

Thank you.

In the meantime we have released Thunderbird 102, which has the improvements that were previously announced.
It should make it much more easier to enable or disable encryption.
If the user's account is configured to support encryption (have own keys/certificates), and the user starts to compose an email, and Thunderbird notices that there are valid and accepted OpenPGP keys, or valid S/MIME certificates, available for all recipients, then Thunderbird will remind the user that encryption is possible for this message, by showing a notification bar. It then takes just clicking a single button (inside the notification or on the toolbar) to enable encryption.

Despite that, I understand that this doesn't yet address the request of this bug, which asks for fullly automated enabling or disabling of encryption.

I would like to make an attempt to offer this functionality, I have an experimental patch that I would like to offer for testing, and I'm interested in feedback.

To enable the functionality, in account settings, besides the choices to enable or disable encryption for new message, the experimental patch adds a new third choice, which offers to automatically enable or disable encryption.

The thoughts behind the experimental implementation are:

  • the user must be able to see on screen what will happen at the time the message will sent (prior to clicking the "send" button)
  • no prompts (the user shouldn't be required to perform any choice)
  • ensure the user can notice if encryption is automatically disabled

The last point is my primary concern of any solution that we consider.
I'm worried about the following scenario:

  • The user composes an email, and enters one initial email address.
  • We can encrypt, we automatically enable encryption. We show status in the UI that encryption is enabled.
  • The user notices that encryption is enabled, makes a mental note that it is enabled, and feels safe about typing sensitive information.
  • The user prepares the email, writes all the text, and the user is almost ready to send it.
  • In the last minute, the user decides to add another recipient. But we cannot encrypt to that recipient.
  • Because the user is in automatic mode, we automatically disable encryption.
  • However, the user might not notice that we automatically disabled encryption

It is very important to me that we'd use an implementation that strongly makes the user aware, whenever encryption was previously enabled, but Thunderbird decides to automatically disable encryption (because it isn't possible, and because of the configured mode to automatically decide).

WIth the experimental patch that I'm providing, a warning notification will be shown on screen, in bright yellow, which says "End to end encryption was automatically disabled, because you cannot encrypt to at least one recipient."

My questions are:

  • is this warning sufficient to address my concern? For users who had previously noticed that encryption was automatically turned on (visualized by the changing state of the encryption toolbar button), can we assume that this notification is sufficient for those users to realize that encryption turned off again?
  • can everyone asking for the full automatic behavior tolerate this notification?

(If you were reading this from the email notification, please read the updated comment in bugzilla, I've fixed a few typos/mistakes.)

I like your approach in principle. I would just add that if a warning message is displayed, it should always be as specific as possible. “You cannot encrypt to at least one recipient” is good, but vague. “You cannot encrypt to the following recipients: <foo> <bar>” is much better. Warning messages that could have supplied more information but didn't are one of my pet hates. ;-) If there is too much detail to display at once, hide it under a dropdown or a link, but still make it available for those who really want it.

As a further enhancement, you could have hot buttons for remediation actions, e.g. "remove these recipients" or "send without encryption", and refuse to send until the user explicitly picks one. This might be too intrusive for most though, so should probably be opt-in (and doesn't have to be addressed right away).

Andrew, thanks for your feedback. Did you already try the Thunderbird 102 release, and have you already experienced the improvements we made to encryption settings in the composer window?

(In reply to andrewg from comment #202)

“You cannot encrypt to at least one recipient” is good, but vague. “You cannot encrypt to the following recipients: <foo> <bar>” is much better.

If there are many, the list can get long. We already have a way to communicate problematic recipients.

If the user explicitly enables encryption (either because that's the default setting for new messages, or because the user has explicitly clicked the "encrypt" toolbar button in an individal message), then we already give visual feedback about the encryption-incompatible recipients: We show the problematic email addresses with highlighting color.

But we do so, because in "requested encryption" mode, those really are causing a problem - cannot send encrypted.

Please remember that we're talking about this new mode, when the user has explicitly stated they simply want it to be handled automatically. If the user has said they want it to be automatically decided, then why should we highlight what the problematic recipients are? They are no problematic recipients in automatic mode, because we can send without encryption.

My impression is, the request for an automatic mode is "don't bother me if encryption isn't possible". And highlighting problematic recipients, whether it's with a color, or listing them in a text message, could be considered as too much bothering. The user might still get the impression that something is wrong and must be fixed. But in automatic mode, there is no need to fix anything.

I see three scenarios:

  • the user really doesn't care, then the user will be ok with not encrypting, and doesn't need the information what's causing the non-encryption
  • the user really wants to encrypt. In that case, the user should override the automatic decision and click the encryption button to require it. And that, already today in the production 102 version, will give the user the feedback you're asking for. Thunderbird will highlight all recipients that are problematic, will display a summary, and will offer to open a key assistant, which will show in detail which users are problematic, and will even attempt to assist the user to resolve this situation
  • the user doesn't think encryption is necessary, but the user is simply curious to learn what's causing the problem. In this scenario, I'd prefer to avoid that we have to introduce an additional mechanism to give this feedback to the user, I'd prefer to reuse the feedback described above. If the user is curious, they can enable encryption, look at the state, and if they decide they don't want to encrypt, they can manually turn it off again.

So in order to fulfil your request, we'd have to make the user aware of the above approach that can be used to see the list of problematic users.

Maybe this could be achieved by using a different notification message, like:
"End to end encryption was automatically disabled, because you cannot encrypt to at least one recipient. You may manually enable encryption to learn more."

(In reply to Kai Engert (:KaiE:) from comment #199)

My questions are:

  • is this warning sufficient to address my concern?

Yes

  • can everyone asking for the full automatic behavior tolerate this notification?

I worry that noob users are confused about it and any user gets annoyed about it if they often write to several people in one email and at least to one of the recepients can not be encrypted. I worry that users say "this encryption thing is just complicated annoying, I just disable it to get rid of this warning every time, so all just works fine again like in the good old time."
The every day "Warning" could disturb users or they get used to that everyday warning and at the end click away any warnings at all.
Alternative without "Warning": If encryption is not possible for all recipients, after clicking on send button open a rather neutral popup saying "Send mail unencrypted. <OK> / <Cancel>"

I would prefer not to have any whistles and bells in automatic mode.

Thunderbird decides to automatically disable encryption (because it isn't possible, and because of the configured mode to automatically decide).

If sending to two recepients, and to one can be encrypted and to the other not, will in automatic mode the mail to the encrypt-possible recipient be encrypted but to the other recipient sent in plain text, or will be sent to both in plain text? The latter case I think would not be "Encryption when possible" that is the title of this bug? Maybe there should be a visual toggle for every recipient that shows if for that recipient encryption is enabled or not, and it should be encrypted for all recipients where possible?

Andrew, thanks for your feedback. Did you already try the Thunderbird 102 release, and have you already experienced the improvements we made to encryption settings in the composer window?

Yes, I did! The changes do look good, they're a great improvement so far.

If there are many, the list can get long. We already have a way to communicate problematic recipients.

Yes, and these are great for must-encrypt mode, as they clearly indicate problems that must be addressed. But do you intend that these will also be used in opportunistic-encryption mode? If so, they seem visually too strong for what we're talking about here, as they imply an error rather than a warning. Or do you mean a similar kind of notification with different (less urgent) styling?

If we want to remain consistent with the To: field notifications, maybe a better idea would be to highlight (subtly) which recipients can be encrypted to, rather than those which can't. This way, the user would still get visual feedback but in a much less intrusive manner. These could even be displayed regardless of the opportunistic-encryption setting (a gentle reminder of what is possible, rather than what is impossible).

After thinking about it a bit more, there are four classes of recipient in a 2x2 matrix of "encryption possible" (i.e. valid key available) vs "encryption required". It is no longer possible to set "encryption required" per recipient, but the concept is still useful when thinking about visual cues in the (must|may|don't) encrypt operation modes.

If encryption is impossible but required, then the current yellow warnings are perfect. If encryption is impossible but not required, then the default styling is appropriate. Considering the other two possibilities:

  • If encryption is possible but not required, then perhaps a subtle decoration (e.g. a lock badge) could be added to the name, similar to the address-book dot (and with a similar tooltip explanation).
  • If encryption is possible and required, then should the default styling be used (since no action need be taken), or something distinct (as a visual confirmation)?

One big caveat is that putting a lock symbol of any kind in the To: field has a variety of possible (mis)interpretations. But relying solely on colours raises accessibility concerns.

Also re styling, is it intentional that the "Encrypt" button in the compose window doesn't darken when selected, even though similar buttons elsewhere in the UI (e.g. "Quick Filter") do? I think if the "Encrypt" button darkened on selection then encryption mode changes would be much less likely to get overlooked.

Regarding visualization: I agree with andrewg, that an information about the recipients without key would be good.
If you care about too long lists, than I would propose: Under a limit of maybe 2, 3 the recipients are shown in the warning and above a hint like "Press the <Encrypt> Button, if you want see all unsupported recipients." ("Encrypt" maybe could be a link/"hot button".)

If you disagree with showing them entirely, at least the (text) hint how to get them visible would be good.

I haven't tested 102 or the patch so far, but both sounds like good improvements.

Perhaps the simplest UX change would be to alter the address-book dot from a two-state to a three-state field: "not in address book", "in address book", "in address book and has an encryption key". The third state could be denoted by a rosette.

Severity: normal → N/A

(In reply to Arvidt from comment #204)

Alternative without "Warning": If encryption is not possible for all recipients, after clicking on send button open a rather neutral popup saying "Send mail unencrypted. <OK> / <Cancel>"

My understanding of advice from UI designers is, such prompts really need to be avoided, this idea is also an important part of our recent rework of the user interface.

Prompts in the middle are surprising, and it's far too easy to click the wrong button (muscle memory).

If sending to two recepients, and to one can be encrypted and to the other not, will in automatic mode the mail to the encrypt-possible recipient be encrypted but to the other recipient sent in plain text, or will be sent to both in plain text?

No, I'm convinced that a message must be sent consistently. Either encrypt to everyone, or not encrypt to anyone.

If a recipient receives an encrypted message, and the client shows that the message is encrypted, the recipient should be safely able to conclude that the message content traveled with encryption to everyone.

(In reply to andrewg from comment #205)

If there are many, the list can get long. We already have a way to communicate problematic recipients.

Yes, and these are great for must-encrypt mode, as they clearly indicate problems that must be addressed. But do you intend that these will also be used in opportunistic-encryption mode? If so, they seem visually too strong for what we're talking about here, as they imply an error rather than a warning. Or do you mean a similar kind of notification with different (less urgent) styling?

No. If encryption is optional, I do NOT want highlighting of missing-key-recipients, to avoid that the user perceives them as problematic/blocking. (They aren't in optional/automatic mode.)

If we want to remain consistent with the To: field notifications, maybe a better idea would be to highlight (subtly) which recipients can be encrypted to, rather than those which can't. This way, the user would still get visual feedback but in a much less intrusive manner. These could even be displayed regardless of the opportunistic-encryption setting (a gentle reminder of what is possible, rather than what is impossible).

(In reply to andrewg from comment #206)

  • If encryption is possible but not required, then perhaps a subtle decoration (e.g. a lock badge) could be added to the name, similar to the address-book dot (and with a similar tooltip explanation).
    ...
    One big caveat is that putting a lock symbol of any kind in the To: field has a variety of possible (mis)interpretations. But relying solely on colours raises accessibility concerns.

As you say, there's the risk of misinterpretation. The user could falsely conclude that recipient-shown-with-lock means that the message WILL be encrypted to that recipient.

I think we shouldn't overload the UI. If the user wants that information, they can get it. FYI, I didn't mention this yet, but another way to get this information is by opening the "Key Assistant" from the OpenPGP/SMIME toolbar button, it will explain exactly what you have and what is missing.

  • If encryption is possible and required, then should the default styling be used (since no action need be taken), or something distinct (as a visual confirmation)?

If all is good, the enabled encryption button seems sufficient feedback, there's no need to stress the user's attention further.

(In reply to andrewg from comment #207)

Also re styling, is it intentional that the "Encrypt" button in the compose window doesn't darken when selected, even though similar buttons elsewhere in the UI (e.g. "Quick Filter") do? I think if the "Encrypt" button darkened on selection then encryption mode changes would be much less likely to get overlooked.

For me, both buttons already darken in the same way when clicked/selected. If they aren't for you, please file a separate bug. (Let's try to keep this long bug focussed.)

(In reply to andrewg from comment #209)

Perhaps the simplest UX change would be to alter the address-book dot from a two-state to a three-state field: "not in address book", "in address book", "in address book and has an encryption key". The third state could be denoted by a rosette.

I've never noticed such a "dot" and cannot even find it now. I think such subtle notifications cannot be understood (or even noticed) without a clear explanation.

However, what I'm learning from your feedback, you really want some kind of feedback, that immediately answers the question "WHO are the recipients that caused automatic encryption to get disabled?".

The solution that would require the least amount of new work, and reuse as much of what we already have, would be like this:

"Automatic End-to-end encryption was disabled, because you cannot encrypt to at least one recipient. [Learn More...]"

If the user clicks the "Learn More" button, we bring up the "Key Assistant" popup (the same one that you can access at any time from the toolbar button). That dialog already explains it in detail, and provides assistance, if desired.

I've never noticed such a "dot" and cannot even find it now. I think such subtle notifications cannot be understood (or even noticed) without a clear explanation.

There is a tooltip that appears on mouse hover, but I agree this may not be sufficiently intuitive.

The solution that would require the least amount of new work, and reuse as much of what we already have, would be like this:
"Automatic End-to-end encryption was disabled, because you cannot encrypt to at least one recipient. [Learn More...]"
If the user clicks the "Learn More" button, we bring up the "Key Assistant" popup (the same one that you can access at any time from the toolbar button). That dialog already explains it in detail, and provides assistance, if desired.

This sounds perfect. As you say, it would be wise to keep the UX changes to a minimum; there is nothing fundamentally wrong with what is there now.

Thanks, and sorry for the flood of half-baked ideas... ;-)

We must make a decision for the following scenario.

Today, with manual encryption control, when replying to an encrypted message, we automatically enable encryption for the reply. (The idea is, because we're quoting the original message by default, sending a reply unencrypted would leak the original message.)

Today, if the reply cannot be sent encrypted, the user is forced to manually and deliberately disable encryption.

What should happen in automatic mode?
If we automatically disabled encryption because of a missing/unusable recipient key, we'd leak the original message automatically.

To find a decision, we should ask, what's the purpose of this automatic encryption mode?

In my opinion, the intention is to have an automatic upgrade to more security, if easily possible. But the mode shouldn't result in a downgrade of security for existing conversations.

In my opinion, even in automatic mode, we should require the user to manually disable encryption, when replying to an encrypted message.

My view is that the old behavior was for the knowledgeable people who really cared about encryption, who were willing to use Thunderbird for encrypted messages (manual mode)

The new automatic mode is for everyone else who did not use encryption because it was too much trouble.
Therefore the metric that we should judge the success is how many people use encryption not how safe the automatic mode is, if you want safe use manual mode.
The automatic mode should not require any manual disable encryption, since the goal is to get more people to use encryption.

The question we should ask ourselves is, does this automatic mode make emails more secure in total, for all Thunderbird users? Improving the experience for the tiny tiny group of people who used manual mode, is the thinking that made this bug be ignored for 20+ years.

(In reply to hagar2272 from comment #214)

The question we should ask ourselves is, does this automatic mode make emails more secure in total, for all Thunderbird users? Improving the experience for the tiny tiny group of people who used manual mode, is the thinking that made this bug be ignored for 20+ years.

No. Automatically disabling encryption without the user’s agreement is a bad idea, especially if you received the message encrypted. You take the responsibility of divulging it in spite of the sender putting trust in you. It can’t be the developer’s “fault”.

I totally agree with Kai’s experienced point of view: in case of an impossible automatic decision, the user should be the decision maker. Since the automatic mode is enabled, it’s not preposterous that the user knows encryption is still working and they can do something about improving the situation (like deciding to not send, but find the PGP key before another action or whatever they decide).

As with your home, no matter what kind of doors and keys you have, you still see your doors and windows; and sometimes there is something that makes that they don’t work properly.

I agree with maison completely - it's never right to auto disable encryption when it's expected. The user can easily disable it if need be...

(In reply to maison from comment #215)

It depends on what goals and assumptions you are making.
What percentage of users are using encryption is Thunderbird? I do not have the data but I think it is a tiny percentage (my assumption 1).

You are trying to avoid harm, minimizing unencrypted messages sent that were meant to be sent encrypted or not at all.
I try to maximize potential benefits, maximizing the number of messages that are sent encrypted (my goal 1)

The majority of Thunderbird's encryption thinking is following the minimizing harm strategy.
Remove all the encryption capabilities of Thunderbird and you will have zero harm described above.
Do you see the problem with only focusing on the minimizing harm strategy?

You need to balance both strategies. This bug has been open for 20 years because not enough people were using encryption for it to be a priority. Is that not a bigger problem than a few emails sent unencrypted by mistake?

(In reply to hagar2272 from comment #214)

Completely agree. This is a new perspective stated in RFC7435 (“Opportunistic Security: Some Protection Most of the Time”) (implemented e.g. by Autocrypt). Search also for "opportunistic" in this thread.

(In reply to Kai Engert (:KaiE:) from comment #213)

have an automatic upgrade to more security, if easily possible. But the mode shouldn't result in a downgrade of security

Well, could be that the sender encrypted automatically without the sender knowing anything about encryption (and therefore not as maison wrote, have "putting trust" in the receiver), which would be perfect automatic "encrypt when possible" security upgrade. When the receiver then cannot reply encrypted, than it's just back to the baseline (unencrypted) that would have been also when the automatic "upgrade" would not have taken place in the first step.

We should look at the whole conversation (message thread) as one. If the conversation is encrypted I think it's totally fine to require action to break out of that mode.

(In reply to hagar2272 from comment #217)

You are trying to avoid harm, minimizing unencrypted messages sent that were meant to be sent encrypted or not at all.
I try to maximize potential benefits, maximizing the number of messages that are sent encrypted (my goal 1)

You need to balance both strategies. This bug has been open for 20 years because not enough people were using encryption for it to be a priority. Is that not a bigger problem than a few emails sent unencrypted by mistake?

It might not be a problem in some cases, but in some cases it might be, you can only speculate. Downgrading security is not maximizing the benefits; say it to activists, journalists, doctors, people living in dictatorship.
Encryption is not about maximizing the user base in spite of them, it’s about keeping data safe when it is deemed so. Education is a side benefit rather than hiding control.

(In reply to Arvidt from comment #218)

Well, could be that the sender encrypted automatically without the sender knowing anything about encryption (and therefore not as maison wrote, have "putting trust" in the receiver), which would be perfect automatic "encrypt when possible" security upgrade. When the receiver then cannot reply encrypted, than it's just back to the baseline (unencrypted) that would have been also when the automatic "upgrade" would not have taken place in the first step.

This is pure speculation. You can’t assume that someone didn’t know what they were doing, unless you have proof to that and even that is a case by case. When you don’t know, you have to take the conservative hypothesis.
The baseline is how the conversation was previously, which might be encrypted or unencrypted.

I would like to clarify the scope of this bug. It is NOT about opportunistic encryption. The bug here is not about automatically trusting keys.

The enhancement proposed here still requires that the user has marked OpenPGP public keys as accepted. For OpenPGP, I define the feature request "encrypt when possible" as "it is already possible, because the user has already configured a recipient's public key: obtained and accepted".

This enhancement is strictly limited to automatically enabling or disabling the encryption flag for individual messages, depending on what's already possible based on existing configuration.

(In reply to Kai Engert (:KaiE:) from comment #221)

I would like to clarify the scope of this bug. It is NOT about opportunistic encryption. The bug here is not about automatically trusting keys.

Thank you for clarifying but I am still confused.
How can the user be unhappy with automatically not trusting a key that the user has not marked as accepted? The automation is consistent and does exactly what it is supposed to do automatically.
Why are you assuming that the user wants to encrypt if they did not mark accept the keys as accepted?

(In reply to Kai Engert (:KaiE:) from comment #221)

I would like to clarify the scope of this bug. It is NOT about opportunistic encryption.

Sure, not as a whole, the scope of this bug touches only a small part of the concept of opportunistic security.
And one part of the concept answers your concrete question, if it would be ok to reply in cleartext to a received encrypted message without bothering the user.
For RFC 7435 this would be perfectly ok, because "the default protection is no protection, and anything more than that is an improvement."

BTW I recommend to read Kai's very fine TB user group analysis on the mailing list where this bug was referred to as the implementation of a "relaxed mode".

(In reply to hagar2272 from comment #222)

(In reply to Kai Engert (:KaiE:) from comment #221)

I would like to clarify the scope of this bug. It is NOT about opportunistic encryption. The bug here is not about automatically trusting keys.

Thank you for clarifying but I am still confused.
How can the user be unhappy with automatically not trusting a key that the user has not marked as accepted? The automation is consistent and does exactly what it is supposed to do automatically.

I see the answer to your question is in the comment of Kai you partly cited: Automatic accepting keys is just not in scope. The problem of getting the needed keys (and accept them) is not addressed in this bug.

Why are you assuming that the user wants to encrypt if they did not mark accept the keys as accepted?

Kai wrote the opposite of your presumption:
(Kai Engert (:KaiE:) comment #221)

[...] The enhancement proposed here still requires that the user has marked OpenPGP public keys as accepted. [...]

Imho your questions are just not relevant in context of this bug. And solving this bug will not address them. The first one might be a topic for another bug. (if not already existing)

I would advocate for enabled encryption and ask if it is not possible, if the user replies to an encrypted message.

In my opinion it is a narrow case. So the number of mails where the user has to take manual action is quite limited.
And for one sub-case (Key exchange, where the user hasn't imported the key of the sender of the answered message/ recipient) it even would be a good reminder to import and accept the key. (if there is no automatic import& acceptance)

If encryption get's disabled I see the already stated problem: The content of the encrypted message is leaked and I think it's a good idea to avoid this. - This sounds like a downgrade for me, too.

To keep encryption enabled also ensures consistent behavior: In manual mode encryption would be active (btw: automatic!).

(In reply to Arvidt from comment #218)

[...] Well, could be that the sender encrypted automatically without the sender knowing anything about encryption [...]

I see absolutely no evidence to assume, that the sender doesn't know anything about encryption.
Imho it's not feasible to make any assumptions about the knowledge of the sender. What we know is: The sender has the key of the user and he used it to encrypt the message. He is capable of dealing with encrypted messages and he decided (maybe manual, maybe by configuring his MUA to send encrypted, maybe automatic if possible :-) ) to send the message encrypted.
So the sender prefers encrypted messages, at least in this conversation. - If the user/ the MUA should divert from this decision, it should be done by explicit choice of the user.

(In reply to hagar2272 from comment #222)

(In reply to Kai Engert (:KaiE:) from comment #221)

I would like to clarify the scope of this bug. It is NOT about opportunistic encryption. The bug here is not about automatically trusting keys.

Ignore my message 222, I missread KaiE 221, sorry for any confusion it causes.

My goal is not to design this small automatic vs manual action, but to change the mindset of how Thunderbird think about encryption and security.
Convenience vs sececurity conviniece will win.
I would like more emails to be encrypted so people who use encryption do not stick out as a sore thumb.
I want a world where all non-encrypted emails are viewed as spam, it would be a better world.

In my opinion, even in automatic mode, we should require the user to manually disable encryption, when replying to an encrypted message.

This is the only correct approach. Consider the following scenario:

Alice sends an encrypted message to Bob. Mallory cannot read or modify the encrypted message body in transit, but may be able to modify the headers. If Mallory were to (say) add a Reply-to: header so that replies were directed to an address visually similar to Alice’s, Bob may inadvertently reply to that address instead, and is likely to quote-include Alice’s original plaintext. Silently disabling encryption for yhe reply enables a downgrade attack on Alice’s original message, regardless of Alice’s encryption preferences.

There are ways to mitigate this attack (signed headers etc) but there are no circumstances in which silent downgrades in the middle of conversation threads are desitable, so they should be made impossible in principle.

The same considerations also apply to forwarded messages, so the same downgrade protections should be enforced there also.

Off-topic but an honest question to all in this thread, trying to understand where people are coming from.

How many of you regularly send or receive encrypted emails in Thunderbird? If so how are you handling reading the email on your phone?

I know there are secure email phone apps but I am too lazy to set up and maintain all of that, since I basically get zero encrypted emails.
I use point-to-point apps like Signal if I want to communicate securely.

hagar2272, this bug is already very long and complicated to follow, and for anyone who wants to join the discussion, it's already hard to jump in. Please move side questions to the e2e mailing list:
https://thunderbird.topicbox.com/groups/e2ee

The discussion in this bug should focus on the described enhancement, on the decisions we need to make, and the directly related arguments.
Thank you

Sadly, this issue is blocking me from implementing encryption in our company for internal mails. Either our employees have to explicitly enable encryption for all internal mails or they have to explicitly disable encryption for all external mails. This is neither accepted nor practical.

If you are interested to test an experimental implementation and give feedback, please see bug 1795981.
For that experiment, please ONLY comment in bug 1795981.

Once the experiment is completed, I will provide a summary of the results here.

I'm doing this separation to keep this long ticket here as short as possible.

I'm surprised nobody has yet given feedback for the experimental implementation in bug 1795981.
I'd strongly encourage everyone waiting for this addition to give feedback in bug 1795981, to let us know if this seems useful.

While we're waiting for test feedback, let me continue here with more general comments.

I would like to update the bug subject to make it more obvious that this ticket is NOT about opportunistic encryption.
It's more about "automation".
IFF, the user has already configured Thunderbird to be ready for using e2ee, and IFF the user has already obtained and accepted keys/certificates for all recipients of a specific email the user is composing, then enable encryption automatically for that email.

Once we have that "automation" ability, we need to offer the ability to the user.

Currently, the initial experimental implementation in bug 1795981 offers that through hidden preferences, only.

One option is to start with this limitation. Only offer it through hidden prefs, and allow interested parties (like you) to start experimenting with it, and identify bugs.

In a second step, we could eventually offer discoverable preferences in the standard Thunderbird settings.

An important question for that is:
Is it sufficient to have those prefs global, once, covering all accounts?
Or, is it desirable to offer those prefs per account?

In other words - do you think users might want this automation for their first email account, but not for their second email account?

(And we'd need to make a decision. If we think that some users need different configuration per account, and we want to offer that flexibility, then it would be a per-account configuration for everyone.)

In a third step, we could consider to advertise this "automation" ability to the user, and make it easy to enable it.

For example, we have recently introduced reminder notifications, that can remind the user that encryption is possible.
Potentially, we could improve those notifications. A notification "encryption is possible" currently offers to "enable encryption".
We could add another button saying "automatically enable encryption if it's possible", which turns on the pref.

Likewise, currently we have a notification if encryption is already enabled, but NOT possible. (This currently offers the choices "disable encryption" and "resolve" for OpenPGP, only.)
In this prompt, we could offer another choice "automatically disable encryption if it isn't possible".

As explained further above, the current suggestion is, whenever we automatically disable encryption (after it was already enabled), we inform the user - in the initial experiment implemented using a prompt. This prompt could offer a checkbox for the third pref "never notify me when encryption is automatically disabled".

If we decided to have those interactive ways to enable the prefs, here's a worry: If we make those prefs per-account, then users might be confused why in emails for another account those actions are not happening automatically.

To avoid this potential confusion we could make the prefs global (same automation configuration for all email accounts).

I would like to limit this bug to the "first step" that I described above, and start with hidden prefs for the initial implementation.

I would like to file follow-up bugs for step 2 (user visible configuration) and step 3 (interactively assist the user to enable encryption automation).

After, or in parallel to steps 2 and 3, we could also discuss if it makes sense to change the defaults (e.g. use the automation to enable encryption by default).

I'll file yet another bug to track the default decision.

So, we're still at step 1. Please comment in this bug if you have general comments on step 1 - or - comment in bug 1795981 if you're willing to participate in testing the initial implementation attempt for step 1.

I'll shortly file the other bugs. If you have comments on step 2, step 3 or the default, please make them in the new bugs that I'll announce in the next comment.

Summary: Implement "Encryption when possible" option for OpenPGP and S/MIME → Automatically enable or disable end-to-end encryption (OpenPGP or S/MIME) if it's possible based on existing user and recipient configuration.
Blocks: 1796631
Blocks: 1796632
Blocks: 1796634

Depends on D151915

Comment on attachment 9278126 [details]
Bug 135636 - Add a few strings that we could potentially use later. r=aleca

Revision D147287 was moved to bug 1796631. Setting attachment 9278126 [details] to obsolete.

Attachment #9278126 - Attachment is obsolete: true
Depends on: 1791130
Attachment #9300243 - Attachment is obsolete: true
Attachment #9300003 - Attachment is obsolete: true

After just 21 years, it seems like something is finally changing!
In my TB 102.5.1, I am now seeing a bar at the bottom of the compose window, with an information text "OpenPGP end-to-end encryption is possible" and an "Encrypt" button next to it.
Incredible!
(This almost makes me forgive that one of the recent upgrades completelely wrecked my profile and deleted all my virtual search folders.)

No information text nor a button when using S/MIME yet.

Anyway. An informative text and a button to toggle a default decision might be a nice add-on for the compose windows, but we all want an automatic system. TB knows all valid S/MIME certs I ever received and can enable or disable encryption itself.

To get the S/MIME notification you need to set pref mail.smime.remind_encryption_possible to true. This was initially already true but was switched to false due to performance problems. These problems should now be solved, see bug 1791130, TB 102 test version available in bug 1791130 comment #9.

Depends on: 1808295
Attachment #9285614 - Attachment description: WIP: Bug 135636 - Implement automatic enabling and disabling of encryption (still experimental). → Bug 135636 - Implement automatic enabling and disabling of encryption (turned off by default). r=mkmelin

I've marked the attached patch for review, I think it's ready for landing it (pending code review).

I suggest to initially keep the functionality disabled by default, and require the user to explicitly turn it on.
I think we should get feedback and ensure it's sufficiently correct and stable, before we consider to make the feature available more widely.

Following is a description of the current behavior.

If the new feature is enabled,
  (global pref: mail.e2ee.auto_enable)
AND
the user has configured end-to-end encryption for themselves,
AND
  the user has already received/obtained valid S/MIME certificates
  for ALL recipients of an email the user is composing,
  OR
  the user already has obtained valid OpenPGP public keys
  for ALL recipients of an email the user is composing,
  and the user has already marked all required public keys
  as accepted,
only then:
  The mail composer UI will automatically turn on
  end-to-end encryption for this message,
  and automatically select the technology that is usable,
  OpenPGP or S/MIME.

This should make it clear that this is NOT "opportunistic encryption".
It's "automatism" to get encryption automatically with prepared correspondents,
without having to remember and enabling encryption manually all the time.

For other users, who do NOT have the new pref enabled,
we'll show a notification, only, that encryption is possible,
but require the user to turn it on manually.
(We already have that notification in production,
just reminding you about it.)

If the user then makes further modifications to the list of email
recipients, and, because of that change, encryption is no longer
possible, then, we'll show our existing feedback that encryption is not possible
(which means the user has to manually resolve that situation, e.g. by turning off encryption).
It's the same behavior as one would get today, after having manually turned on encryption for this message.

There's an additional new pref to influence that scenario:
mail.e2ee.auto_disable
(false by default, only used if auto_enable is true)

If the user has both auto_enable and auto_disable set to true,
and encryption was automatically turned on,
and then the user adds a recipient that cannot yet be used
for e2ee, then encryption will be automatically turned off.

(The pref mail.e2ee.auto_disable has no effect if the user has manually turned
on encryption for a message. We never turn off encryption automatically if
the user has manually turned it on.)

Automatically disabling has the following risk:

The user might have started composing the email,
and the user might have noticed that encryption was turned on,
but after the user added another recipient,
the user might miss that encryption is automatically
turned off again. The risk is that the message will be sent
without encryption, although the user assumed that encryption
is turned on.

To prevent this fatal mistake, based on not having paid
sufficicient attention to the UI state, we will notify the user
whenever we automatically disable encryption.

A third pref mail.e2ee.notify_on_auto_disable can be used to disable this notification.

As a reminder of existing behavior: We already enable encryption automatically,
when replying to an encrypted message (or forwarding it). This is treated
as having manually enabled encryption for the message. We'll never
automatically disable it, only the user can manually disable encryption for such messages.

Besides changing the list of recipients, there's another action that could
trigger that encryption is automatically turned on or of: Selecting a different From/Sender identity.

Depending on the configuration state of the identities (e2ee is activated in account settings, or isn't),
changing it might also enable or disable encryption in composer.

Here is one related change, which ALL e2ee users will get, even if the new
automatism feature is turned off:

If the user has manually enabled encryption for the message, or we're replying
to an encrypted message, or we've automatically enabled encryption but auto_disable
is turned off, and the user is switching to another identity that cannot use e2ee,
then we'll show a new reminder with the following text:
"The selected sender identity (From) is not configured for end-to-end encryption." -
reminding the user why encryption isn't possible.

When saving a draft, we'll remember whether the user has manually enabled
encryption/signing (independently), or whether it was automatically turned on.

If encryption was explicitly enabled by the user (or automatically enabled because
replying to an encrypted message), that explicit state will be remembered in the draft.
When the user later on edits the draft, we'll keep encryption forced on.
Otherwise, encryption will be automatically turned on or off based on the
user's prefs that are active at the time the user continues to edit the draft.

Here is a visible change that users will get who have the new auto_enable pref turned on:

Today, in e2ee account settings, we have the following old pref:

"Default settings for sending messages" with choices "disable" or "enable encryption for new messages".

This pref makes no sense when turning on the global new pref "mail.e2ee.auto_enable".

With the new code, if auto_enable is turned on, that pref will be hidden from the UI.

Instead, at the same position in the pref UI, the following explanation text will be shown:

"Encryption will be automatically enabled, based on available recipient keys or certificates. You may override the automatic decision."

If, in addition, the pref auto_disable is turned on, too, then the following, slightly different text will be shown:

"Encryption will be automatically enabled or disabled, based on available recipient keys or certificates. You may override the automatic decision."

If you wish to try the current state of this work yourself, there are test builds here:
https://bugzilla.mozilla.org/show_bug.cgi?id=1795981#c31

and automatically select the technology that is usable

How does this relate to bug 1806328 where sometimes the wrong technology is chosen? The bug is still present in 102, I didn't try beta.

Blocks: 1675737

(In reply to PS from comment #240)

How does this relate to bug 1806328 where sometimes the wrong technology is chosen? The bug is still present in 102, I didn't try beta.

I've commented in bug 1675737, which is a duplicate of bug 1806328.

The current patch of this bug 135636 uses the technology preference configuration to automatically switch to the configured preferred technology, if encryption is possible with two technologies, and a preferred technology is configured.

However, the current patch will switch technology if only one technology can be used with encryption. Maybe that's wrong. Maybe we should never automatically switch to the non-preferred technology.

We can handle that in bug 1675737, but preferably after the work here has completed, because of likely code overlap. (The fix will also have to handle the scenario, where the new auto_enable pref is set to false.)

(In reply to Kai Engert (:KaiE:) from comment #239)

Great work, I like the concept and the preferences etc. very much! Thank You!

(In reply to Kai Engert (:KaiE:) from comment #239)

I've marked the attached patch for review, I think it's ready for landing it (pending code review).

[...]

Following is a description of the current behavior.
[...]

That sounds great, thank you so much!

Does this solve the behaviour of always defaulting to OpenPGP on initial compose window opening with S/MIME-only accounts when other identities are configured for OpenPGP? There seems to be some change in the relevant parts of MsgComposeCommands.js, but I'm not able to check this out myself.

Relevant: Bug 1793278, Bug 1793431, Bug 1796781, Bug 1800427

Primarily, the patch in this bug focuses on fixing this bug.
Other issues need to be checked separately.

I have a fix for the issue from comment 244 (bug 1793278), and I have merged the patch here to be on top of that fix.

(In reply to Stephane Saux from comment #11)

The design is detailed in http://www.mozilla.org/mailnews/specs/security/

Still available at:
https://www-archive.mozilla.org/mailnews/specs/security/

(Just posting this for historical documentation purposes. I'm not suggesting we implement that old UI.)

Attachment #9285614 - Attachment description: Bug 135636 - Implement automatic enabling and disabling of encryption (turned off by default). r=mkmelin → WIP: Bug 135636 - Implement automatic enabling and disabling of encryption (turned off by default). r=mkmelin
Attachment #9285614 - Attachment description: WIP: Bug 135636 - Implement automatic enabling and disabling of encryption (turned off by default). r=mkmelin → Bug 135636 - Implement automatic enabling and disabling of encryption (turned off by default). r=mkmelin

Pushed by kaie@kuix.de:
https://hg.mozilla.org/comm-central/rev/53d3295f1b01
Implement automatic enabling and disabling of encryption (turned off by default). r=mkmelin

Status: ASSIGNED → RESOLVED
Closed: 23 years ago2 years ago
Resolution: --- → FIXED

The patch has landed. It's mostly as described in comment 239.

One difference: The preference mail.e2ee.notify_on_auto_disable currently has no effect, even if set to true.

We need to reach agreement on how to exactly this notification will be shown to the user.
I hope to fix that soon in a follow-up.

Target Milestone: --- → 113 Branch
Blocks: 1825626

Call for testing:

If you were waiting for this functionality, then I'd like to ask for your help to test it.

So far, it has only arrived in the daily development build of Thunderbird, and it's disabled by default.
We need to know if it's working properly, as explained in comment 239.

Could you please download a Thunderbird Daily build, and test it? To obtain it, visit https://www.thunderbird.net/ and on the lower right, click on "Daily Channel".

Note, if you're usually using the stable version of Thunderbird, only, (currently version 102), then be careful, and setup a SEPARATE profile for using Thunderbird.

The reason is, once you used a profile with a newer version (such as the Daily version), you can no longer use that profile with older versions (such as the current stable 102 version).

(More information on profiles can be found here: https://support.mozilla.org/en-US/kb/profile-manager-create-and-remove-thunderbird-profiles )

If you find a bug, you may report it in bugzilla.

To post your feedback, please send an email to this mailing list:
https://thunderbird.topicbox.com/groups/e2ee

Thanks!

Duplicate of this bug: 1795981
Whiteboard: [kerh-eha] [GS] → [kerh-eha] [GS] Summary of what was done: See comment #239

(In reply to Kai Engert (:KaiE:) from comment #249)

One difference: The preference mail.e2ee.notify_on_auto_disable currently has no effect, even if set to true.

We need to reach agreement on how to exactly this notification will be shown to the user.
I hope to fix that soon in a follow-up.

This was done in bug 1825626, it's included in today's version of Thunderbird Daily.

If you prefer to wait for a Thunderbird Beta version to test it, it shall be available in Beta 113 that will be released after April 11.

Blocks: 1828475
Regressions: 1828591
Depends on: 1833358

Everyone ... "NOW is the time", as the saying goes.

Everyone (70 people are in this bug), please post your response in this bug to the developer's comment 250, or respond at https://thunderbird.topicbox.com/groups/e2ee/Te4059b3f9ccae287-M75f642de97a3e99575ab5919 This is your opportunity to help with the feature which the developer has kindly provided.

Your comments will be appreciated. Let us know if you have difficulty testing.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: