Gloda doesn't find content in encrypted messages (S/MIME and PGP)
Categories
(MailNews Core :: Backend, defect)
Tracking
(Not tracked)
People
(Reporter: julien.pierre, Assigned: patrick)
References
(Blocks 1 open bug)
Details
(Whiteboard: [datalossy])
Attachments
(2 files, 1 obsolete file)
(deleted),
patch
|
Details | Diff | Splinter Review | |
(deleted),
patch
|
Details | Diff | Splinter Review |
Comment 1•22 years ago
|
||
Reporter | ||
Comment 3•20 years ago
|
||
Updated•20 years ago
|
Updated•20 years ago
|
Updated•20 years ago
|
Comment 4•20 years ago
|
||
Reporter | ||
Updated•20 years ago
|
Comment 5•17 years ago
|
||
Comment 6•17 years ago
|
||
Updated•17 years ago
|
Updated•16 years ago
|
Reporter | ||
Comment 8•16 years ago
|
||
Updated•16 years ago
|
Comment 9•14 years ago
|
||
Comment 10•14 years ago
|
||
Comment 11•14 years ago
|
||
Comment 12•14 years ago
|
||
Comment 13•14 years ago
|
||
Comment 15•14 years ago
|
||
Comment 16•14 years ago
|
||
Comment 17•14 years ago
|
||
Comment 18•14 years ago
|
||
Comment 19•13 years ago
|
||
Comment 20•13 years ago
|
||
Comment 21•13 years ago
|
||
Updated•13 years ago
|
Comment 23•13 years ago
|
||
Comment 24•13 years ago
|
||
Comment 25•13 years ago
|
||
Comment 26•13 years ago
|
||
Reporter | ||
Comment 27•13 years ago
|
||
Comment 28•13 years ago
|
||
Reporter | ||
Comment 29•13 years ago
|
||
Comment 30•13 years ago
|
||
Comment 31•13 years ago
|
||
Comment 32•13 years ago
|
||
Comment 33•13 years ago
|
||
Comment 34•13 years ago
|
||
Comment 35•13 years ago
|
||
Comment 36•13 years ago
|
||
Comment 37•13 years ago
|
||
Comment 38•13 years ago
|
||
Comment 39•13 years ago
|
||
Comment 40•13 years ago
|
||
Comment 41•13 years ago
|
||
Comment 42•12 years ago
|
||
Comment 43•12 years ago
|
||
Comment 44•12 years ago
|
||
Comment 45•11 years ago
|
||
Comment 46•11 years ago
|
||
Comment 47•11 years ago
|
||
Comment 48•11 years ago
|
||
Comment 49•10 years ago
|
||
Comment 50•10 years ago
|
||
Comment 51•10 years ago
|
||
Comment 52•10 years ago
|
||
Comment 53•9 years ago
|
||
Comment 54•6 years ago
|
||
I think we should prefer not decrypting mail permanently to require searching. I know that Thunderbird used an index for searching, called Gloda.
source: https://support.mozilla.org/en-US/kb/global-search
I would also caution against using unencrypted indexing for encrypted mail. Some pgp users may need the security.
I have never contributed to Thunderbird, but I know that you would need to modify the search system to either use two databases (one for encrypted e-mail, which is encrypted itself), one encrypted database for everything(which would be locked for people without the key), or to have encrypted entries in the database somehow. The latter I would not recommend, as that would require extra work both for the encryption and for "salting" the entries so that no known-plaintext or replay attack can be done. It would also require a lot of work modifiying existing systems to work with the new entries while still maintaining compatiblity with the older entries. There is a lot of potential for errors there, in my opinion, which can lead to security issues.
Right now the Gloda search system uses a single file (global-messages-db.sqlite). It would need to be able to use two databases, one which has to be stored encrypted. We could also encrypt Gloda by default for PGP users (and then just treat the e-mails as unencrypted while the user is logged in), but that might be hard for people who also use unencrypted mail regulary without wanting to use a password. I do not know the Thunderbird/enigmail code, but that might be less work.
Comment 55•6 years ago
|
||
I think indexing the cleartext of all emails in one database using stopword lists to reduce the index is the way to go.
Makes it smaller and central and then you can encrypt it using the Masterpassword. Which might need a bit of redesign with stronger protection.
Comment 56•6 years ago
|
||
(In reply to Rob van den Berg from comment #54)
I think we should prefer not decrypting mail permanently to require searching. I know that Thunderbird used an index for searching, called Gloda.
Not all searches go through Gloda. The Quick Filter and the Advanced Search just search through your messages one at a time (plus using the Mail Summary Files where possible, which are separate from Gloda). It should be possible to use the Quick Filter or Advanced Search on encrypted mail without storing any (more) data from encrypted mail in unencrypted form.
This would probably be a bit confusing ("why can I only find encrypted messages using some of the search tools?") but it shouldn't have any new privacy/security issues.
Comment 57•4 years ago
|
||
I'm a little surprised since Gloda does trigger the PGP Proxy which should lead to decryption and subsequent indexing of messages. BTW, I see this, perhaps it's related:
gloda.datastore ERROR got error in _asyncTrackerListener.handleError(): 19: constraint failed
Comment 58•4 years ago
|
||
I'll take a look, given comment #57.
Updated•4 years ago
|
Comment 59•4 years ago
|
||
This does not depend on 280588. Sure, if you store messages unencrypted, the searches will "just work" (TM).
Comment 60•4 years ago
|
||
Simple patch to trigger folder re-index by hijacking OpenMessageInNewTab().
Comment 61•4 years ago
|
||
With this patch, the request from Gloda is processed and the decrypted message is returned. Further investigation is necessary to see why the returned result is in fact not indexed by Gloda.
Comment 62•4 years ago
|
||
Looking further into the issue, it's basically a one-line change to enable this function, as there is already provision for it. Maybe there are further adjustments necessary in mimeDecrypt.jsm, but looking at it again, this would already work:
https://searchfox.org/comm-central/rev/67ff5d7aa78c03b51b1ccd06b8636f3ac28e5fbf/mail/extensions/openpgp/content/modules/mimeDecrypt.jsm#473
It was in fact a conscious choice of the Gloda authors not do index encrypted parts[1]. I don't know whether this choice is still valid in the day where (most) disks are encrypted anyway. To add another preference to the system, maybe indexing encrypted messages should be optional, or per account.
Patrick, maybe you can coordinate this with the OpenPGP team. If you/they decide to enable this function, you/they would need to use this patch. Feel free to assume authorship. For the p≡p Project we will potentially "patch" IndexMsg.jsm so it will index encrypted messages until a decision is made here.
If it's decided that decrypted parts will never be indexed, this bug should be closed as WONTFIX.
Assignee | ||
Comment 63•4 years ago
|
||
Thanks for this. This is certainly the basis, but I think it needs a bit more surrounding work.
We discussed this already several times at OpenPGP Email Summits. The conclusion of the discussion is the following:
If we store decrypted data on the disk (which is what Gloda does), then we should only do this with the user's consent. That is, there should be a configuration option that allows the user to enable the functionality, and the default should be "off", unless you know that the data is stored on an encrypted disk.
As we don't know if the disk is encrypted in Thunderbird, we should foresee a preference value to handle this.
Assignee | ||
Updated•4 years ago
|
Comment 64•4 years ago
|
||
How about using stop word lists to create a local search index which is protected with the TB master password so you don't have to store individual mails in a decrypted state but still have a search option across them that doesn't cost too much decryption performance?
Comment 65•4 years ago
|
||
This bug has been open for at least 16 years. I have been following it for only nine years.
We all know there is a simple solution. And that the solution accords with the general principles of confidentiality. (I'll write on that in a following comment. This comment is to add a new use case that is handled by one of the proposed solutions for this serious, longstanding, bug.)
This week I was asked to provide about a thousand messages from my archive. I could, of course, respond to this polite request by saying I would rather not. In due course a nice person would hand me an order from a Federal court, explaining the next step.* (Meanwhile, I would be looking for another job, but that is beside the point here.)
If Thunderbird followed the well established principle of cryptography, that confidentiality in transit and confidentiality in storage are two technical problems, and call for two technical solutions, then I'd simply copy the mbox, encrypt it (plenty of ways to do that, e.g. a file-zipper). Put the 873.8 megabytes on a storage device, mail it to the US Treasury counsel, and use Thunderbird to send the password in an encrypted message. The lawyers have tools for every kind of mail storage solutions. (But, as you know, can't decrypt messages encrypted by Thunderbird. And as you know, I am not about to give them my private key. (Nor, or course, have I been asked to.))
So, there we have another use case. It has nothing to do with the search use case, folks WANTING Thunderbird to--PLEASE--SEARCH MESSAGE BODIES.
But notice that it is something to think about, when thinking about the problems with implementing full search capabilities. There is one implementation that solves both use cases in a straightforward and--comparatively--extremely easy to implement way.
As you all know, I mean this: If the fix for this bug had been to work in the following way, the bug might have been fixed sixteen years ago:
"If we store decrypted data on the disk (which is what Gloda does), then we should only do this with the user's consent. That is, there should be a configuration option that allows the user to enable the functionality, and the default should be "off", unless you know that the data is stored on an encrypted disk."
-- Patrick Brunschwig
3 months ago.
[ * compliance vs. contempt ]
Comment 66•4 years ago
|
||
I know this is not the proper forum, but...
If someone know how I might prepare an mbox with a thousand messages, decrypted, or prepare one thousand files, each with a decrypted message, please post a link here.
I do have one procedure:
DO UNTIL done { Type(Command-P); Click(PDF); Click(Save as PDF); Type (Subject_text); IF duplicate(Subject) THEN Type(serial number); Click(Save); Type(Down-arrow) }
I figure that--once I get up to speed--I can do several a minute. 1000/(3*60). Maybe six hours, with a pee break or two, snack, and perhaps a tranquilizer.
I'm looking for something not quite so, uh, <don't get me started>...
Thanks for your tolerance for this out of order request.
Cordially, Joaquin
Comment 67•4 years ago
|
||
I think you want bug 1627962 which we want to do.
Comment 68•4 years ago
|
||
Thanks, Magnus. Sadly, I must use X.509. Not permitted to use PGP.
....... All praise to Zimmerman! .......
(Dear reader, do you use only post cards for your mail?
Or do you risk being considered a criminal or--worse--a terrorist, by hiding your message in an envelope before you post it?
If you do get a love letter in an envelope, and you want to keep it, do you carefully reseal the envelope?
Or do you leave the letter open, so anyone can read it?
Or, perhaps, do you leave the envelope unsealed but put your love letter in a safe place.
)
https://en.wikipedia.org/wiki/Pretty_Good_Privacy#Early_history
Comment 69•3 years ago
|
||
Comment 70•3 years ago
|
||
Reading the patch I assume the gloda already has support for indexing encrypted messages and we just need to a toggle to enable it when needed.
Do I assume correctly that when the setting is enabled, gloda starts to index new encrypted messages from that point only and can not search in messages received before? The option text may imply the user otherwise.
Also, does it mean gloda will index the contents of the encrypted messages in plain text in its word database as the message is received? I assume it does not decrypt each message on the fly just when a search is initiated. This would also need to be conveyed to the user as not encryption works only at transport and no longer secures the message in storage.
Comment 72•2 years ago
|
||
This bug is not a duplicate of bug 180769.
This bug arises from the fact that Thunderbird does not follow this long established principle: data confidentiality in transit and data confidentiality in storage are distinct requirements and call for distinct implementations.
The result of this bug 188988, is this: if a message was encrypted in transit, Thunderbird can't search the body of that message.
bug 180769 arises from the fact that that the dialog for Menu>Edit>Find>Search Messages includes many choices of what to search for, but does not include "Encryption Status."
This has nothing to do with the fact that twenty years ago Thunderbird's choice was to implement data confidentiality in storage for encrypted messages by storing the message in its encrypted form.
The result of that bug, 1807679, is this: Thunderbird can't search for messages that were encrypted in transit.
bug 180769 may not be a bug In this sense: The choice, Menu>Edit>Find>Search Messages>Match>Subject>Customize..., allows the user to add other message headers to the choices in the list under Subject. For example, searching for Content-Type--contains--smime would do the job. (Or the corresponding text for an OpenPGP message.)
The Thunderbird experts will know.
I could check that in a minute. But I must go attend to something else. I'll post a general comment on this bug later.
Meanwhile: I do not have permission to change the Status of bug 180769.
Someone please do: thank you!
Comment 73•2 years ago
|
||
Apology for the boldface. I don't know the Markdown rules. (Nor, you see, do I know how to edit my post.)
Comment 74•2 years ago
|
||
Thanks, Wayne!
I'm back from something else and just checked. Yes: Thunderbird will search for and find encrypted messages. (At least if S/MIME was used.)
1807679 asks for a Thunderbird feature to make that very easy.
My note on the 1807679 page tells how, with a small touch of quick and easy customization, to search for encrypted messages.
Now let's push forward on searching the Body encrypted messages.
Please.
(I am required to encrypt all my work messages. I have been waiting over fifteen years. Some have been waiting over twenty.
All encrypted messages. Thunderbird reports that I have 67,320.
[ Search Messages : Match all of the following : Date : is before : 1/18/2023 ]
)
Description
•