Closed Bug 849099 Opened 12 years ago Closed 12 years ago

All e-mail should be encrypted by default. (GPG Enigmail)

Categories

(MailNews Core :: Security, enhancement)

Product:
MailNews Core
Component:
Security
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 448964

People

(Reporter: adam_kauffman, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0 Build ID: 20130307023931 Steps to reproduce: Sent an e-mail. Actual results: It traveled across the internet in plain text that anybody could read. Expected results: The message should have been encrypted end-to-end. If encryption was included by default in every install of Thunderbird then all Thunderbird users could at least communicate with each other in private. Mozilla could lead the push to encrypt all digital communication and raise awareness of this increasingly important issue.
Simple encryption needs to be available to average users. The current solution of Enigmail/GPG needs improvement. It also needs to come with the default install of Thunderbird. I would go so far as to include the encryption key setup wizard as part of the account creation wizard.
Severity: normal → critical
1) Is this really needed? Any confidential text can be sent as an encrypted attachment, leaving unencrypted mail (which uses less bandwidth, among others) for anything no more confidential than a postcard. 2) To be effective, encrypted email needs a way to communicate the decryption key to the addressee by a means which a potential man-in-the-middle attacker (or an intersted third-party reader, for that matter) could not intercept. 3) As long as the SMTP / POP / IMAP / NNTP connections themselves are established by cleartext messages, would this not just *move* the potential attack point rather than altogether *remove* it? (My ISP does not support SSL/TLS for mail. I don't think that's an exception.) I suggest WONTFIX.
1) Yes. Privacy is a natural right. Simple means of private communication needs to be available to average users without needless extra steps like creating encrypted attachments. How would you communicate the password for your attachment to the recipient? 2) This needs to be built in to Thunderbird. 3) End-to-End encryption is the current topic. If it leaves your client encrypted it can travel through open channels securely. That is the whole point. I use an SSL connection to connect to GMail servers but that doesn't protect my message once it leaves the SMTP server. (From Google to the recipient) SSL should also be default for SMTP servers but that is off topic here.
In reply to comment #3 point 1: I would communicate the password by any means appropriate to the circumstances. In some cases word-of-mouth would do (either face-to-face or by telephone as circumstances dictate). In other cases the username and password acquired by HTML over https for some related account could be reused. Etcetera. I leave the rest to the developers who would implement this (if and when).
Severity: critical → enhancement
OS: Windows 7 → All
Hardware: x86_64 → All
Version: unspecified → Trunk
Dupe of bug 448964?
Whiteboard: dupeme?
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Product: Thunderbird → MailNews Core
Resolution: --- → DUPLICATE
Whiteboard: dupeme?
You need to log in before you can comment on or make changes to this bug.