347939 - Account-based encryption design flawed - user error likely

Status: RESOLVED DUPLICATE of bug 135636

(Thunderbird :: Message Compose Window, enhancement)

Description

[dcmay]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6

The greatest probability of a security breach in encrypted communications is the user failing to turn on encryption for a message. T-Bird makes it easy for that to happen. I've worked with a couple of new T-Bird users (and one Notes user) whose biggest security breaches were due to forgetting to turn on encryption for a message, just because they're busy and have a thousand other unrelated details to think about.

As of Thunderbird 1.5.0.6, whether a message is defaulted to encryption or not is based solely on which account the active (current) folder is associated with. If I'm in a folder, like the local inbox, which has an account associated with it for which "Default encryption setting when sending messages" (Security settings) is set to "Never (do not use encryption)", then a new compose message is created with encryption turned off, even if the folder also contains an account that has "Default encryption setting" set to "Required". (That could be considered a bug - Required should ALWAYS take precedence over Never).

Anyway, the whole concept of enabling or disabling encryption for an account, or at least at a folder level, seems undesirable, or at very least, of secondary usefulness.

If I'm communicating with a business colleague about some sensitive negotiations or project details, I *ALWAYS* want that communications encrypted,  because I don't want to risk any information leaks due to user error (which does easily happen). So, if I have a certificate for a recipient, the message should default to encrypted when first created, regardless of any other settings. In this case, I should be be warned if my "From" e-mail address doesn't have a certificate.

On the other hand, if I'm using the same e-mail account to communicate with someone I don't know, who just sent an e-mail asking a question, or from whom I'm requesting information, I don't want TBird to give me an error because I don't have a certificate for that casual contact, when it tries to save a draft or send that message.

Reproducible: Always

Steps to Reproduce:
1. Set up two accounts, one with Security - Encryption Default - Required, one with Never.
2. Go into a folder associated with the Never account, and compose a new message to someone whose certificate is saved in the cert store.
3. View security settings for the message and note the encryption state.
Actual Results:  
Encryption is off

Expected Results:  
T-Bird should set the message encryption state by looking at whether the recipient has a certificate associated with them, rather than by looking at the account. If I have a certificate for the recipient in my certificate store, then a new message, *OR reply*, should default to encrypted. If multiple recipients are specified, but I have a certificate for only some of them, then a new message should default to encryption, and a reply should default to the message setting (which may or may not be encrypted - this way, if I've received an encrypted e-mail that copies other people for whom I don't have a certificate, I'm prompted to be able to request their certificate). If I don't have a certificate, then a new message should default to unencrypted.

If the "From" account (automatically) assigned to the e-mail (based on the account associated with the folder) does not have a certificate associated with it, but one or more of the recipients do have a certificate, then T-Bird should display an error when saving or sending the message, thus prompting me to either disable encryption or change the From account.

Also, if account-based default encryption settings are retained in T-Bird, then if any of the accounts associated with a folder have Required set, then a message should default to encryption. (Another way to look at this issue might be that the global inbox in Local Folders does not have a way to specify a default From account).

The most secure e-mail system isn't secure if it accidentally doesn't get used. My experience with others, as well as myself, has shown that there's a fairly high likelihood of private messages getting sent unencrypted unless there is a reasonably foolproof way to set the default encryption state. I believe that the suggested resolution will eliminate a lot of security breaches that otherwise are likely to happen for Thunderbird users.

Comment 1

[Daniel Veditz [:dveditz]]

I don't think the separate prefs for accounts is the problem, really. Multiple accounts are fairly rare (though probably more common with the sorts of people who actually have a cert).

Maybe the real solution is to better expose the signing/encrypted state while composing mail, perhaps by stealing a little space to the side of the address lines and showing encrypted/unencrypted  and signed/unsigned icons. Give them tooltips, make them toggle buttons, a splashy background color difference, and disable them for accounts which don't have certs.

Could get tricky for users who use both S/MIME and Enigmail :-(

Another good point is why doesn't the Local Folders have a default identity and outgoing server like all the other account types? Maybe the default From line should be blank, forcing the user to choose each time (that'd be a PITA--better to allow a default identity).

Comment 2

[dcmay]

I would agree that separate prefs for multiple accounts isn't the issue here. And, there ARE icons that are displayed in the lower right hand corner when composing a message; so it is possible, *IF YOU REMEMBER TO LOOK*, to see that a message isn't encrypted. Plus, if composing a message with compact header display (the one-liner), there is minimal room for any icons there.

For me, the real issue is, what does T-Bird default to when I'm sending an e-mail?

If I'm sending an e-mail to a person for whom I have a certificate, I need that e-mail to *ALWAYS* default to encryption, REGARDLESS of any other factor or setting. If I'm working with an attorney, or the CEO of my company, or a close development partner working on a stealth project, I *CAN'T* afford to risk that message going across the internet in cleartext. Period.

Because of its current design, T-Bird significantly elevates the risks of a security breach, especially when operating with multiple accounts. It's already happened several times with highly sensitive information ... despite cautioning people repeatedly. That's why I feel this is a much higher priority than "enhancement".

OK, so technically it's user error. But software is supposed to be designed to minimize user errors. Perhaps the design of the whole security / encryption settings be rethought.

But by far the easiest solution would seem to be to query the certificate store to see if any of the current recipients have a certificate. If they do, just flip the encryption bit on. That check can be done every time that a recipient is added to the message. If the sender doesn't want encryption, they can turn it off when prompted.