Usability issues in Thunderbird concerning mainly encryption. (40-page document) [meta]

NEW
Unassigned

Status

3 years ago
2 years ago

People

(Reporter: bernhard.esslinger, Unassigned)

Tracking

({meta, sec-want})

meta, sec-want

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [needs triage])

Attachments

(1 attachment, 1 obsolete attachment)

(Reporter)

Description

3 years ago
Created attachment 8712758 [details]
Thunderbird_Bedien-Issues_BE_v1.0.pdf

User Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:45.0) Gecko/20100101 Firefox/45.0
Build ID: 20160121004039

Steps to reproduce:

We are a group of German academics teaching cryptography courses for students and pupils. We collected their feedback and documented the issues people have with Thunderbird when performing encryption and signing messages.
Our 40-page document contains scenarios (with many screenshots) -- these are no exploits but usability issues. The document's structure is like this:
1. S/MIME only (page 4 to 20)
2. S/MIME and Enigmail (page 21 to 26)
3. Enigmail only (page 27 to 45)


Actual results:

There are simple issues where the wording is just misleading (please note, that despite the screenshots are mostly in German, it's NOT a matter of translation). However, more things are just wrong and/or prevent even well-meaning users from using TB for email security.
We really hope that this documentation is helpful.
Thanks to Wayne Mery.


Expected results:

As the document contains a bunch of more than 30 single issues (including suggestions what our expected results are), we here (in this bug-recording field) only can say what we expect from the TB developers:

a) Please fix the many usability issues.

b) Please start two bigger tasks:

b1) Integration of OpenPGP
--> Offer a good user experience when using S/MIME and PGP in parallel
    (see the whole chapter 2).
We believe that Enigmail is a very good basis and the developer of this plugin should be invited to this task. Additionally, forces could be joined with other European initiatives (e.g. PEP project in Switzerland).
Privacy is a topic which is very much relevant in Europe.

b) Automatic handling of own expired certificates (see chapter 1.10).

Remark:
Our finding in chapter "1.7 Enhance TB with build-in encrypt-if-possible" is similar to Bug 149876 ("require encryption"), reported in 2002 (at that time the Encrypt-if-possible-plugin didn't exist yet).
(Reporter)

Comment 1

3 years ago
I tried to use the more concrete keywords S/MIME, OpenPGP, usability, encryption and signature.

Then I got a warning, that there is no keyword named 'S/MIME', etc.
So maybe the list with the legal keyword could be enhanced with more security-related words.

However, the more generic word "sec-want" should fit too.

Thanks.
Keywords: sec-want
OS: Unspecified → Windows 8.1
Hardware: Unspecified → x86_64

Comment 2

3 years ago
I think that the best thing to do with this is to make it a meta bug that would spin off dependent bugs for specific identified issues.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: meta

Comment 3

3 years ago
I agree. Thanks for filing the bug
OS: Windows 8.1 → All
Hardware: x86_64 → All
Summary: We build a 40-page document with usability issues in Thunderbird concerning mainly encryption. → We build a 40-page document with usability issues in Thunderbird concerning mainly encryption. [meta]
(Reporter)

Comment 4

3 years ago
Created attachment 8713196 [details]
Updated document 1.1 (compared to document 1.0 mainly typos have been corrected)

Updated document to v1.1: compared to document v1.0 (Thunderbird_Bedien-Issues_BE_v1.0.pdf) mainly typos have been corrected.
Attachment #8712758 - Attachment is obsolete: true
(Reporter)

Comment 5

3 years ago
After making it a meta bug, what is the further procedure?
Please keep me up-to-date.

Thanks a lot, Bernhard
(Reporter)

Comment 6

3 years ago
Hello,

may I ask about any progress? Are there any news from the Thunderbird developers (TB Council?) whether the issues in the document are applied in concrete plans to improve security and usability of TB?

Best regards, Bernhard
A lecturer was looking for a suitable "3rd-year Engineering Group Project" for this spring on the tb-planning mailing list. I've suggested making progress on this bug could be of the things they could choose.

Comment 8

2 years ago
(In reply to Magnus Melin from comment #7)
> A lecturer was looking for a suitable "3rd-year Engineering Group Project"
> for this spring on the tb-planning mailing list. I've suggested making
> progress on this bug could be of the things they could choose.

This would have been James Quilty and crew. They chose to cover addressbook.
Summary: We build a 40-page document with usability issues in Thunderbird concerning mainly encryption. [meta] → Usability issues in Thunderbird concerning mainly encryption. (40-page document) [meta]
Whiteboard: [needs triage]

Comment 9

2 years ago
If Bernd doesn't have students to parse this into usable bugs, perhaps Ben will know some people.  May need a small team.
Component: Security → Security: S/MIME
Product: Thunderbird → MailNews Core
Version: 38 Branch → 38
You need to log in before you can comment on or make changes to this bug.