
21 years after the request OpenPGP support gets added to Thunderbird - janvdberg
https://bugzilla.mozilla.org/show_bug.cgi?id=22687
======
capableweb
> For reasons associated with U.S. export restrictions, no cryptographic
> security of any kind is likely to be included in the original sources

[https://bugzilla.mozilla.org/show_bug.cgi?id=22687#c1](https://bugzilla.mozilla.org/show_bug.cgi?id=22687#c1)

Creepiest thing with seeing this ticket (again?) is noticing that the first
comment is about that is used to be illegal to write anything with
cryptographic security in the US and sell/give it to the outside world.

[https://en.wikipedia.org/wiki/Export_of_cryptography_from_th...](https://en.wikipedia.org/wiki/Export_of_cryptography_from_the_United_States)

~~~
Longlius
Any signatory to the Wassenaar Arrangement, which includes the entirety of
North America, Europe (including Russia), Australia, India, and Pacific Asia
(minus China) must consider cryptographic technologies to be munitions for the
purposes of export. Now, these restrictions have been considerably loosened to
the point that the export isn't really controlled, but international law still
considers it a munition. The US is hardly unique in this regard.

It works the other way too. A surprising number of countries still restrict
the import of cryptographic technology, including several EU states.

~~~
highmastdon
Side note: don’t call the countries in the European Union “states”. They’re
sovereign countries that have committed themselves through treaties to the
Union, not a US like government body

~~~
pmontra
Languages are strange in very different ways. The Italian word for country is
"stato". How do we translate state as in "NY is a state of the USA"? Again
"stato". We have "nazione" for nations but really nothing for countries. We do
say "paesi esteri" for "foreign countries" but that's almost the only
occurrence with that meaning. A "paese" is a town, so nobody will ever say
that Germany or France are a "paese".

~~~
alberto-m
Actually, "paese" is the normal translation for country (optionally with
capital "P" if one wants to avoid ambiguities with the "town" meaning)

> nobody will ever say that Germany or France are a "paese"

Google lists > 200.000 results for "la Germania è un paese".

------
dylan604
I remember back in the 90s exchanging PGP keys with my roommate to exchange
encrypted emails. It was supposed to be so easy. Just 12 simple steps. Every
time.

~~~
libraryatnight
at least you had a friend to email! I couldn't get any of my friends to do it.
"Man we can encrypt our emails." "But why..." "It'd be cool" "This seems
hard." "Come on, exchange keys with me." "I don't want to make one."

~~~
thereticent
My high school friends and I settled for using Gain and Pidgin to enable the
"secure" icon. :)

~~~
input_sh
Ah, the good old days when I could just plug my IM services into one desktop
app. I miss those days very much.

Now I use three Electron apps on a typical work day.

~~~
flyx86
Matrix bridges do that for me today! Currently using IRC and Telegram bridges,
thinking about adding Slack.

Sadly, Electron-based Element is still the best Matrix client by far.

~~~
the_duke
The lack of thread support in Element makes Slack bridging very hard to use,
sadly.

~~~
flyx86
I needed some time to figure out you're not talking about multithreading in
JavaScript/electron, but about this

[https://github.com/vector-im/element-
web/issues/2349](https://github.com/vector-im/element-web/issues/2349)

:)

------
skyfaller
I used to love PGP, but I now think encrypted email is a bad idea.
[https://latacora.micro.blog/2020/02/19/stop-using-
encrypted....](https://latacora.micro.blog/2020/02/19/stop-using-
encrypted.html)

Better to use a protocol designed with encryption in mind, like Signal, to get
forward secrecy, avoid leaking metadata, and have encryption always on by
default.

UPDATE: I have been reminded that PGP does not have to be used with email. I
meant to say that I used to love using PGP with email, since that is the
primary way I have used it. I will not comment on the use of PGP outside of
email, since I haven't carefully examined its use in other contexts.

~~~
rendx
That is the single most common misconception around PGP, and it comes up every
time:

(Open)PGP is first and foremost a flexible packet format (and other specs),
and GnuPG is more of a CLI "library" to interface with it -- all of it. You
can build something that hides metadata, you can have forward secrecy, and
encryption always-on by default with PGP (and GnuPG). You can use it for
whatever trust model you want, neither OpenPGP (the specs) nor GnuPG prescribe
a certain model. It provides _building blocks_. It just happens that no good
client exists and no more high level specs were written that use it, which is
highly unfortunate. The client in this case here used to be "Enigmail" (a
wrapper around GnuPG), and now is built-in since plugins are not allowed to be
as powerful with the new browser architecture that Thunderbird piggybacks on
and this was the only way to bring PGP to Thunderbird users. Also, there are
some more modern libraries nowadays for standard use cases around PGP.

Signal was able to move faster since it did not exist, did not try to build
things in an open and collaborative fashion, still refuses to work in any open
way. Its founder Moxie even openly argues against standards [x]. I am not
saying he does not have "a point", but in the long run this will lead to just
more silos and ultimately technical stagnation, and for me goes against the
ethos of "a public and open inter-net." (and the learnings behind it. 'Those
who cannot remember the past are condemned to repeat it.')

That said, I do agree with your comment on a pure end-user level. It still
makes me sad to always see this confused and not acknowledged better in places
like HN, where people "should know". Technologists can defend and strive for
the most promising long-term solution and "proper way to do it", and at the
same time recommend "the best of the bad that is currently available". Even if
it is confusing sometimes.

Just to give an example, there are plenty of high security use cases that
require using smartcards. I'm very grateful that the OpenPGP standard and
GnuPG exist that (can be made to) work in such cases. Signal does nothing in
that space, rightfully so. But you are comparing different fruit to each
other, which is kind of unfair.

[x] and still calls himself an "anarchist". You would think those know
better...

~~~
Quekid5
> GnuPG is more of a CLI "library" to interface with it

It abjectly fails at that. It's just awful to interface with.

~~~
rendx
Agreed. It has been long overdue that alternative OpenPGP implementations
exist that try to address some of the peculiarities of GnuPG -- most of which
are [still] there because its founder wants to preserve compatibility at all
costs to support some of its long-term institutional users. And, yes, dealing
with these peculiarities should not the responsibility of end users, but of
further abstraction layers built on top of it (of which there are only a few,
and all of them focused on the email use case).

The constant confusion between OpenPGP (the standard) and GnuPG (one
implementation) has led many users to look elsewhere, which is unfortunate,
but has also led many developers to look elsewhere, which is just sad.

Yes, trying to work within the existing standardization bodies can be very
painful and disheartening, but the few people who try and survive in that
space can use every good soul willing to assist.

The OpenPGP community has done hundred times more than Signal for the state of
security on the Internet, and I'm sure it will continue to do so. Signal is
great, and pushed the limits quite far (and still does), and I'm very grateful
that it exists and use it every day.

~~~
XMPPwocky
What is a good non-email use case for the PGP format?

~~~
ifmpx
Any usecase forwhich no specialized solution already exists. Source code
signatures and Apt/RPM packages are good examples of this.

~~~
XMPPwocky
What does OpenPGP bring there? At least GnuPG has the benefit of being a tool
that's present on many system and which is capable of verifying signatures.

If you're not using GnuPG, you can pick any format you want! What does OpenPGP
add? Everything I can think of is a negative.

~~~
gsich
OpenPGP is the standard, gnupg is a implementation.

~~~
XMPPwocky
Right, so why talk about the standard when you mean, specifically, GnuPG?

If you want an explanation of why GnuPG is dangerous for anything besides
email, let me know. But parent post was very specifically NOT about GnuPG- it
was about OpenPGP.

~~~
gsich
because gnupg is not the only implementation.

~~~
XMPPwocky
Yes, that's what I said, and why I was asking!

What does the OpenPGP format bring to the table, BESIDES HAVING A COMMONLY
AVAILABLE IMPLEMENTATION IN GNUPG?

~~~
gsich
It's the generic term.

------
tingley
Credit to the people that wrote and maintained bugzilla, both as software and
this particular instance. It's still ticking, much longer than (I assume) they
planned it to.

~~~
redis_mlc
My opinion for 20 years has been that Atlassian JIRA would have been stillborn
if somebody had added a blue and white CSS theme for Bugzilla.

~~~
pestaa
No no no you don't understand, the end users NEED drag and drop (and loading
indicators, and slooow and heavy pages to admire those indicators).

~~~
oblio
> the end users NEED drag and drop

Ummm... they do.

------
aerovistae
Never seen a timestamp on the web that said "20 years ago". Wow.

Reminds me of a tiny blog post I put up years ago about the future of
archaeology. Forgive the silly site title.

[https://meaninglessdreams.wordpress.com/2014/09/26/156/](https://meaninglessdreams.wordpress.com/2014/09/26/156/)

~~~
sergiomattei
I was born 20 years ago...

~~~
bigiain
It would have been hilarious if you'd fixed this bug... :-)

~~~
dane-pgp
Now that you mention it, I'm surprised I can't think of any example of someone
fixing a software bug that is older than them. (I'm assuming Warner Losh is
older than 35).

------
globular-toast
Thunderbird has the only calendar I know that has a "multiweek" display as
opposed to (well, in addition to) the utterly retarded month view that exists
in every other GUI.

We've been doing electronic calendars for how long now? Why are we still using
a paradigm from paper based calendars? At the beginning of a month I can see
three weeks ahead, but at the end of the month I can see three weeks behind.
It frustrates me no end that this is still a thing. It reminds me of the early
days of Google maps when they were no better than paper maps, but now we can
rotate the map, zoom in and out etc. But calendars are _still_ no better than
paper calendars. Apart from the one in Thunderbird.

~~~
currysausage
Sorry for nit-picking and being off-topic (I get your point!), but I don’t
think there was ever a version of Google Maps without zoom. Actually, I have
the fondest memories of the first version of Google Maps (the orange-themed
one). It was so much better than anything it replaced at the time, and I think
it would be perfectly usable even today, 15 years later!

~~~
globular-toast
It did have zoom, but they were fixed levels so no different to having
multiple paper maps at different scales. Yes, of course there is the advantage
that it's "not paper", but that was the only advantage really. This is not
unexpected at all as new technology very often mimics existing technology in
its first iteration. If you look at the first outputs of the Gutenberg press
you can see they were trying to mimic handwritten books of the time. But
usually the new technology very quickly surpasses the old after the first
iteration, as electronic maps have now done.

------
oconnore
I do think there ought to be a way to do good cryptography in email. Email is
not going away anytime soon, so giving up on it as a legitimate place where
cryptography is needed seems too ivory tower for me.

The “dead simple solution” is to just run the Signal protocol over SMTP,
although I’m sure it’s possible there is a better design if you were to think
about the specifics.

~~~
jolux
Not if you want to interoperate with anything currently in existence. And if
you don't, why bother building it on SMTP?

~~~
oconnore
You build it on SMTP because upgrading clients is easier than doing a clean
slate redesign of ubiquitous internet protocols.

Presumably we're discussing how an open protocol addition might gain any
traction at all over walled garden protocols like Slack -- and in those cases
you want to maintain as much compatibility as possible.

"Federated SecureEmail 2.0" would be dead-on-arrival, where "Secure Client on
top of bog-standard email" is ever so slightly less DOA. You get to re-use the
existing identity/routing system, existing servers, existing authorization,
etc.

~~~
jolux
>You build it on SMTP because upgrading clients is easier than doing a clean
slate redesign of ubiquitous internet protocols.

Why not just toss the whole shebang and rebuild it below that layer? Signal
Protocol seems to be pretty successful here.

>Presumably we're discussing how an open protocol addition might gain any
traction at all over walled garden protocols like Slack

No, I'm asking how a new open protocol can be built on top of email in a way
that maintains strong backwards compatibility while offering strong security
guarantees, like end-to-end encryption. I don't think it's possible.

~~~
toast0
> No, I'm asking how a new open protocol can be built on top of email in a way
> that maintains strong backwards compatibility while offering strong security
> guarantees, like end-to-end encryption. I don't think it's possible.

You can't have strong security guarantees with backwards compatability,
because backwards compatability requires plain text sending.

Unless you're OK with limited guarantees like the UI will tell you when the
mail could be sent in plain text. Or if the UI tells you the message will be
end to end encrypted, it won't fallback to plain text, etc.

~~~
jolux
>You can't have strong security guarantees with backwards compatability,
because backwards compatability requires plain text sending.

That's right.

>Unless you're OK with limited guarantees like the UI will tell you when the
mail could be sent in plain text. Or if the UI tells you the message will be
end to end encrypted, it won't fallback to plain text, etc.

This would require changing all the clients.

~~~
toast0
> This would require changing all the clients.

Not really, the old clients would never send (or receive) end to end encrypted
messages, so they don't need new UI to tell you that. That's the cost of
unbounded backwards comptability.

If you want to have 100% coverage of email users, changing all clients is part
of the deal. But, uhhh, good luck with that. Server based standards are an
easier lift --- you could build a standard to require hop to hop encryption on
mail and expect that to plausibly gain enough adoption to use over a managable
time frame. Of course it would be trivial for a hop in the delivery path to
subvert that and remove the request, and all hops in delivery would still have
message content access; but if people like it, a large majority of servers
might support it in 5-10 years.

~~~
jolux
>Of course it would be trivial for a hop in the delivery path to subvert that
and remove the request, and all hops in delivery would still have message
content access; but if people like it, a large majority of servers might
support it in 5-10 years.

You're describing TLS, and this is already happening.

~~~
toast0
Not just TLS, but a way to say, while composing a message, if it's can not be
delivered via TLS with a valid certiticate, then don't deliver it. Which
apparently already exists as REQUIRETLS [https://www.rfc-
editor.org/rfc/rfc8689.html](https://www.rfc-editor.org/rfc/rfc8689.html)

Published November 2019. I didn't see any data on support, and hadn't heard of
it before looking just now.

------
matmann2001
I'm more impressed that a ticket managed to live on in a tracker for so long
without getting lost over the years.

~~~
3np
In contrast to ansible issues, which would have changed tracker or repo ~30
times in that time.

~~~
zufallsheld
Or any other recent repo where issues get "stale" and closed automatically.

------
floatingatoll
Previously on HN:

36 comments, 1 day ago:
[https://news.ycombinator.com/item?id=24501872](https://news.ycombinator.com/item?id=24501872)

226 comments, 2 months ago:
[https://news.ycombinator.com/item?id=23864934](https://news.ycombinator.com/item?id=23864934)

51 comments, 12 months ago:
[https://news.ycombinator.com/item?id=21197327](https://news.ycombinator.com/item?id=21197327)

------
shp0ngle
"How much do you trust the owner of this key to sign other keys properly?

* I don't know

* I do NOT trust

* I trust marginally

* I trust fully

* I trust ultimately"

This is a real pop-up I got the last time I tried to use PGP with Thunderbird.

If people still get regular pop-ups like these, I don't think PGP will ever be
popular.

They might have switched to PEP (pretty easy privacy) that uses TOFU (trust-
on-first-use) so maybe this is thing of the past, but I don't know.

~~~
quadrifoliate
I know it's virtually forbidden to discuss practical details of PGP on HN, but
what do you think is the sticking point about that pop-up? It makes people
think a little rather than trust blindly, which seems to be...good?

I do agree that the marginally and fully options are useless. Wonder if
adoption would be better if you just removed them, and were left with:

\- I don't know what PGP is (exit, opens documentation or a tutorial)

\- I definitely _dis_ trust this key (because it has been marked as malicious
in the wild)

\- I trust this key (because I have verified it either in person, or through a
proof like Keybase)

~~~
shp0ngle
Even you misunderstood that question.

It's not "how do I trust this person key", but - "how much do I trust this
person to _sign other people 's keys_ ".

As in "how much do I think that other person is careful in checking other
people's keys". Not judging his key, or your ability to check keys. You are
judging the other person capability to check another, third person keys.

This is important for PGP "web of trust".

------
sulam
21 year old bug, and Damon Gallaty apparently still works at the company that
he worked at back then, albeit with some changes to the name on the checks he
gets.

I have some serious feels for the guy, that had to have been a frustrating
experience.

------
btilly
Wonderful. What an amazing amount of work to implement a terrible idea.

See [https://latacora.micro.blog/2019/07/16/the-pgp-
problem.html](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) for
why we shouldn't be using PGP in 2020.

~~~
upofadown
Gee, this anti-PGP rant showed up 3 times so far in this thread. I think that
justifies a link to my critique:

* [https://articles.59.ca/doku.php?id=pgpfan:tpp](https://articles.59.ca/doku.php?id=pgpfan:tpp)

~~~
btilly
Honestly, I have no idea who you are. I'm not surprised that someone out there
thinks that it is a good idea.

However every cryptographer that I know to trust who has bothered to comment
on PGP has said to not use it. For example see
[https://www.schneier.com/tag/pgp/](https://www.schneier.com/tag/pgp/), or
[https://secushare.org/PGP](https://secushare.org/PGP).

Therefore I won't be using PGP. No matter how much you like it.

------
PenguinCoder
Good for them, but PGP is essentially dead for any non-technical zealot users.
S/MIME is better supported and easier to use.

~~~
crdrost
That's actually the deal with Thunderbird, too. Supported S/MIME and needed a
plugin, Enigmail, to interface with OpenPGP. What is happening here is that
the thunderbird add-on interface is changing and they decided that instead of
porting Enigmail they are integrating OpenPGP straight into Thunderbird like
S/MIME is.

------
elchin
Gave me memories of the times when US had cryptography export restrictions :)

------
snapetom
_sigh_ Thunderbird has so many great features under the hood, but the hood is
the biggest issue I have that prevents me from switching full time. Classic
and wide layouts are not optimized for wide resolutions in modern laptops.
Their vertical layout is unusable. The columns in the list of messages are
horizontal, taking up too much width. Each layout is a tradeoff on whether I
want to message pane to be usable or the list of messages to be usable.

~~~
JohnTHaller
Have you tried turning off some of the columns in the message list and using
Vertical view? There's an absurd number of them that you really don't need all
the time.

~~~
snapetom
I have, but the biggest horizontal space eaters in that view are the most
important ones - subject, from, and date. Turning off the others don't really
help that much. Besides, Mail.app gives me the all the same information as in
Thunderbird's, but the list of messages is rearranged for that view. It
doesn't eat into the message plane. Thunderbird's vertical layout is just a
re-arrangement of the panes.

Edit: I mixed Vertical and Wide in my original message. I meant the vertical
view is unusable. I've edited it.

~~~
corford
Each to their own I guess. I use vertical and like it. Left pane on the left
is all my accounts and folder tree; middle pane is email
star:subject:sender:date; right pane is email contents.

Above the three panes I simply have the message filter box and above that is
the main toolbar (get messages, write, address book, view drop down, quick
filter button).

Simple but works well for me on 1920x1080 or higher (and dealing with about a
hundred or so emails a day).

------
Xophmeister
Is anyone else having problems with this, after migrating from Enigmail on
Thunderbird 68?

It fails to associate my accounts with my keys in my keyring, so I try to
import an exported key. Whenever I do this, it gets stuck in a loop asking me
for the passphrase for an old, revoked key :( Even after I deleted the revoked
keypair -- which I know I shouldn't -- it's refusing to cooperate.

So it looks like I've actually lost this feature by upgrading...

------
l0b0
Where's the actual diff? It would be interesting to see how much and what sort
of code is actually involved.

------
j45
Nice to see Thunderbird still improving.

It also reminds me of the infamously long delay on JIRA-1369, the 20 year old
ticket.

[https://jira.atlassian.com/browse/JRASERVER-1369](https://jira.atlassian.com/browse/JRASERVER-1369)

At least it's neat software can be used for 20 years.

------
justnotworthit
As someone who deals with the opsec/public interface (and is a cynic about
technology in general), I have to say that encrypted email via PGP has to be
the computer security nerd's biggest and longest running "emperor has no
clothes".

------
justinator
Remember when someone had to set up a GoFundMe for the one guy that was
supporting OpenPGP and everything thought, "let's help this guy out" _but at
the same time thought_ Why, though?

------
dm319
Reminds me of this article on HackerNews a little while ago:

[https://news.ycombinator.com/item?id=22368888](https://news.ycombinator.com/item?id=22368888)

------
efitz
Wow, this could have made such a difference to the direction of the internet,
government surveillance, and maybe even saved the lives of dissidents- if it
had been done 20 years ago.

------
LockAndLol
Has someone made a ranking of the oldest bugs Mozilla has? Maybe even by
severity?

I remember some years ago a security ticket was resolved after someone on
reddit celebrated its decennial.

------
janvdberg
Is this the longest time between request/bug and fix?

~~~
trothamel
It's in a different field, and I'm being very tongue-in-cheek - but the
Twenty-Seventh Amendment to the US Constitution has it beat.

[https://en.wikipedia.org/wiki/Twenty-
seventh_Amendment_to_th...](https://en.wikipedia.org/wiki/Twenty-
seventh_Amendment_to_the_United_States_Constitution#Revival_of_interest)

~~~
mch82
Cool link

------
Consultant32452
Ignorant question time, will this mean native support for email services like
proton mail?

~~~
3np
protonmail is different in that they have their own client/server protocol and
you need something like their protonmail-bridge to interface with them over
IMAP (which is only for paid accounts and does not depend on this feature).

It makes it smoother to send and receive e-mails signed/encrypted with PGP.

------
edgarvaldes
How is the Thunderbird development speed nowadays?

~~~
throrthaway
Pretty moribund. They got dropped by Mozilla so it's entirely community-
driven, and there's only so many things you need to add to an email client,
unless you want it to turn into emacs or something.

That said it's a damn good product that's damn good at what it does.

~~~
jcranmer
There's as many developers working on it now as there were when it was a part
of Mozilla.

~~~
throrthaway
Are they still paid by Mozilla, though?

~~~
jcranmer
They are not paid by Mozilla, but there are still paid contributors.

------
29athrowaway
Any thoughts on Enigmail?

------
throrthaway
Who knows, we might even see GNOME getting thumbnail previews in its file
picker!

------
sushisource
Why even bother at this point? PGP encryption in email is... not a good way to
do secure communication.

~~~
unixhero
For one, it works.

~~~
recursive
And if it doesn't work, you're doing it wrong. Or maybe never figured it out
well enough to even try in the first place.

