
Enigmail did not encrypt email to recipients - tshtf
http://sourceforge.net/p/enigmail/forum/support/thread/3e7268a4/
======
Someone1234
> These people may have heard about a rule that it is good to upgrade your
> system, so their TB and enigmail is upgraded (semi)automagically.

This type of user behaviour has been exploited by the security services many-
a-time. If that's who you're up against then somewhat counter-intuitively the
advice is actually to run "old faithful" encryption suites which have been
verified and just keep an eye on the changelog for any actual security issues
(ignore feature updates).

If you have automatic updates turned on, there's nothing stopping them from
MiTM-ling that and injecting a specially crafted (malware) version which will
allow them to decrypt the traffic without you knowing (or just send them the
private key(S)).

Now before you say "but the executable is signed!!!" well that's grand, but
these guys have a CA in your certificate store. So they can generate fake
certificates at a whim.

This logic also extends to any automatic updates on your system (e.g. Mac OSX
system-updates have been exploited before in this way). A lot of software will
download updates then run the "installer" in ring 0 (root). Even if you trust
the source of the updates, do you trust all of the CAs in your CA store? I
certainly do not.

~~~
mspecter
Shouldn't the certs related to OS / app updates be self-signed (the root of
trust being Microsoft/Apple/pkgmanager*), rather than anyone in your CA? Like,
a new Java update should be signed by Oracle, not signed by Joe Schmo's Honest
CA.

Also, forgive me if I'm wrong, but the original Evilgrade exploit for Apple
was completely unencrypted, right?

Edit: You use "these guys" to refer to the attacker quite a bit in your
statement above, it'd be smart to think about your threat model a bit. For
instance, it's likely that some actors can get a root WEB CA, and somewhat
unlikely that they've gotten into Apple's chain of trust. These are different
targets with different threat models.

~~~
__david__
> Shouldn't the certs related to OS / app updates be self-signed (the root of
> trust being Microsoft/Apple/pkgmanager*), rather than anyone in your CA?

Yes, this is how Debian works (they use a well known gpg key to sign their
list of packages).

I believe the popular Mac OS X library Sparkle also works like this—the master
public key is shipped with the App so that it only accepts updates that are
signed by that particular key (if you use Apple's code signing then it only
accepts new updates if they are signed by a key assigned to the developer).

------
Joeboy
I use enigmail because it's an easy way to generate a bit more PGP
signed/encrypted traffic, which is a good thing.

If it was important, I would probably encrypt on the command line, on a more
trustworthy device than my regular PC.

Also, I haven't checked, but I have a suspicion Thunderbird saves unencrypted
drafts to the server while you're composing.

~~~
christianmann
You should check on that. I'm pretty sure I've seen lots of encrypted drafts
on the server after I finish composing an email. I think it's bad at deleting
them when it's finished.

~~~
Joeboy
Ok, with my default-ish settings, it doesn't seem to save drafts at all after
I tell it I want the message encrypted.

However if I write the message before specifying that I want it encrypted, it
gets sent to the server unencrypted.

Which kind of makes sense I suppose, but seems like a bit of a usability
gotcha.

------
allegory
And this is why us financial people have our own secure messaging services
that don't touch email systems other than for notification...

~~~
BillFranklin
What made your company choose to start encrypting your email? Could you share
some more info on your setup?

~~~
bentcorner
MessageLabs.com is a common one I've seen different financial institutions
use. IIRC, it's ugly but functional. It's an odd UI flow but tolerable:

1\. Get an email at your normal email that you have a message at secure email
provider

2\. Click link, get taken to a web page where you need to make an account to
read the mail

3\. Read mail at the link, you can reply and attach stuff to it, and that's
it. No create mail functionality.

So you end with up with "email conversation as a link" sort of feeling. Very
odd when you're used to dealing with any other "normal" webmail site.

~~~
Mandatum
What happens when A. you click a phishing link which takes your username and
password, logs into the real site and downloads all of the data, B. the site
is hacked and all of the mail on the site including archived stuff is leaked,
or C. someone manages it MitM your network, uses a quasi-signed cert to spoof
the actual website and reads all of your mail or finally D. the hosting
provider is raided, and all data is handed over to an authority?

I don't think trusting a third-party with highly confidential financial data
is very good practice.

------
aabdocker
In the comment that person says:

> I understand your anger, but this is a volunteer. It seems obvous to me too
> that he messed up because the latest version is broken for me too. but let's
> cut him a little slack

I also don't agree. This project is featured on the homepage of add-ons list
and I bet thousands of people rely on it. That's not how things work, software
should be tested. [https://addons.mozilla.org/en-
US/thunderbird/](https://addons.mozilla.org/en-US/thunderbird/)

~~~
parennoob
I try hard not to be the "you should ask for your money back" person, but I
don't see that hand-wringing like this is any use as regards open-source
software.

"Software should be tested" is indirect speech which leaves out the subject.
Who should ensure that the tests are in the codebase? The creator? The writer
of this update? If this was a first-time volunteer and his patches were acked
by someone, the person who cleared them is arguably more at fault – the
original contributor should not be blamed.

Developing OSS is a complex endeavor depending upon the donated time of
hundreds of people. Sometimes I'm surprised that there are well-functioning,
robust pieces of OSS out there at all.

------
xkarga00
Regarding e-mail encryption I am really anticipating Lavaboom to kick off
[https://www.lavaboom.com/en/](https://www.lavaboom.com/en/)

~~~
sarciszewski
Shorter Lavaboom: "We've never heard of node-webkit"

~~~
sarciszewski
To the people who downvoted this comment: Read their FAQ and you'll see what I
mean. Also, learn to take a fucking joke.

