
Mozilla announces PGP Support in Thunderbird, coming 2020 - exabrial
https://blog.mozilla.org/thunderbird/2019/10/thunderbird-enigmail-and-openpgp/
======
eindiran
The comments here are overwhelmingly negative so far, so I'll say something
positive: even if this comes rather late for Thunderbird, I appreciate that
Mozilla chose to add this functionality. Any feature that makes PGP easier to
use for the average person (especially better integration into a platform) is
a win my book.

~~~
Jonnax
There's a lot of negativity around Mozilla in general.

Like take their rewrite of their android browser. It's faster than Chrome and
is currently in preview.

Add-on support is work in progress but they got plenty of snarky attacks that
it's not in MVP.

The whole DNS over HTTPS attacks seemed focussed on Firefox, a browser with a
tiny marketshare compared to Chrome who also implements it.

~~~
dessant
Firefox does seem to attract that demographic, or it could be just a symptom
of open source entitlement. I've received some of the rudest personal attacks
via extension reviews on Firefox Add-ons.

Take a look: [https://addons.mozilla.org/en-
US/firefox/addon/search_by_ima...](https://addons.mozilla.org/en-
US/firefox/addon/search_by_image/reviews/1424324/)

~~~
Jonnax
Wow. That user saying that you should be satisfied with just the ratings is
crazy.

------
kbrosnan
This is is the Thunderbird Project's announcement. That group did the work,
Mozilla provides a legal and financial framework for Thunderbird. Mozilla's
work for Thunderbird is similar to projects like the Software Freedom
Conservancy or Apache Software Project.

User donations account for a lot of the work that has been done in the last
year. It has allowed them to hire full time and contract workers for
Thunderbird. If you want to see the project continue to progress dropping them
a recurring donation would be awesome [2].

[1] [https://blog.mozilla.org/thunderbird/2017/05/thunderbirds-
fu...](https://blog.mozilla.org/thunderbird/2017/05/thunderbirds-future-home/)
[2] [https://donate.mozilla.org/en-
US/thunderbird/](https://donate.mozilla.org/en-US/thunderbird/)

------
dfabulich
PGP support in an email client is worse than nothing.
[https://latacora.micro.blog/2019/07/16/the-pgp-
problem.html](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html)

> _Email is insecure. Even with PGP, it’s default-plaintext, which means that
> even if you do everything right, some totally reasonable person you mail,
> doing totally reasonable things, will invariably CC the quoted plaintext of
> your encrypted message to someone else (we don’t know a PGP email user who
> hasn’t seen this happen). PGP email is forward-insecure. Email metadata,
> including the subject (which is literally message content), are always
> plaintext._

In 2020, someone should know better than to to add pretend encryption to
email. The metadata leaks alone should lead you to conclude that this isn't
worth doing.

Don't use email for secure communications, period. Use a secure messaging app
like Signal, instead.

~~~
acqq
Whoever wrote what you quoted avoided to mention that the plugin (and I’d
expect this new implementation) can protect the user from replying in
plaintext to the encrypted message.

And using PGP in some scenarios has an advantage for the users and is indeed
less convenient for eavesdroppers. It seems that the later are especially
motivated to promote fear against PGP.

~~~
dfabulich
"The plugin" (which plugin? I'm referring to the GPG plugin for macOS mail)
doesn't prevent forwarding as far as I can see.

The point isn't "use non-PGP email", the point is "don't use email at all for
secure communications. Use a secure messaging app instead."

~~~
heavenlyblue
So let’s say I copy a message from WhatsApp to a message board, does that
disqualify WhatsApp from being a “secure messaging app”?

~~~
dfabulich
The point isn't that you forwarded the secret (indeed, _that_ was on purpose).

The point is that you forwarded the secret in plaintext, because email is
plaintext by default, and the forwarding person probably didn't realize that,
because no email client (even with GPG plugins) posts a big red warning label
saying "stop! this is plaintext" because that's 99% of all emails.

~~~
acqq
> because no email client (even with GPG plugins) posts a big red warning
> label saying "stop! this is plaintext"

I've used a plugin that did exactly that: warned when the encrypted e-mail is
replied to or forwarded as plain text.

If such a plugin is not commonly used with e-mail clients that can't be a
proof that e-mail encryption is inherently bad, just that that feature should
exist.

Mozilla implementers, I hope you're inspired.

------
urda
Seeing a ton of negativity around PGP in this thread, sound like it's
refresher time for HN readers:

\- PGP isn't _always_ the proper solution.

\- Yes, you do need to be aware of what metadata is involved and what it
exposes. This applies to all systems.

\- Secure communication is much more than key selection.

\- Mozilla taking steps to integrate it into Thunderbird should be applauded.

------
gambler
Theoretically this is a good thing, but it's way, way too late, since most
people use web or mobile clients now.

Mozilla should include a proper PGP implementation _in their browser_. In
fact, I have no idea why a browser that positions itself as pro-privacy
doesn't already have a way to sign, verify, encrypt and decrypt text.

As far as I can tell, there wasn't even a discussion about this, which is
ridiculous, considering the web (if you count it as a single system) is
clearly the biggest communication platform in the world today.

~~~
exabrial
PGP Auth would be _incredible_. Imagine being able to claim an account through
keybase proofs!

~~~
gambler
Yeah, that's the thing: once you get a full suite of PGP tools as a standard
feature of your browser it would make a whole bunch of other features
possible.

------
TheChaplain
I believe the actual reason for built-in PGP/GPG support is due to TB dropping
support for XUL addons and going the same road with WebExtensions as Firefox.

The current PGP/GPG implementation Enigmail is XUL, and been available for
years.

------
jlgaddis
According to the linked wiki page [0]:

> _To process OpenPGP messages, GnuPG stores secret keys, public keys of
> correspondents, and trust information for public keys in its own file
> format. Thunderbird 78 will not reuse the GnuPG file format, but will rather
> implement its own storage for keys and trust._

First reaction: Yay! We'll get to manage everything twice!

Second reaction: I am hopeful they'll support private keys stored on
smartcards (i.e., Yubikeys, "real" smartcards, and OpenPGP cards) although, if
the support in Firefox is any indicator, I wouldn't bet on it actually being
"usable".

[0]:
[https://wiki.mozilla.org/Thunderbird:OpenPGP:2020](https://wiki.mozilla.org/Thunderbird:OpenPGP:2020)

------
amluto
> Thunderbird is unable to bundle GnuPG software, because of incompatible
> licenses (MPL version 2.0 vs. GPL version 3+). Instead of relying on users
> to obtain and install external software like GnuPG or GPG4Win, we intend to
> identify and use an alternative, compatible library and distribute it as
> part of Thunderbird on all supported platforms.

IMO this is great news. GnuPG is, IMO, awful. Every time I use it I dislike it
more. I recently set up a new subkey using a hardware token and the whole
experience made me wish that someone would implement a better way to deal with
OpenPGP messages.

------
m12k
In Denmark, due to the GDPR, almost non of the digital letters we receive from
the government can be sent by email (since they would contain personally
identifiable information such as Social Security Numbers), so instead we just
get a notification by email that tells us to log into a special 'secure'
hosted mailbox. Except it's not hosted by the government, but some company
that won a contract to build and host this - but now it's going to be built
and hosted by another company that won the latest contract. This all seems
kinda crazy to me, the public paying private companies to build and run one
proprietary solution after the other. Does anyone know if there is some modern
protocol/system that provides an alternative to email, and guarantees end-to-
end encryption and other privacy-improvements?

~~~
secfirstmd
I'm not quite sure about your characterisation of "due to GDPR" in this
instance. Personally identifiable information does and can flow to regular
email, though obviously it is better that it doesn't where possible.

~~~
m12k
Really? It was my impression that not being able to guarantee encryption along
the way (basically you might be sending a postcard instead of a letter) made
it a non-starter.

------
ClumsyPilot
As they say, this is too little, too late. About 15 years ago was the time
when it would have made a real difference.

~~~
Jonnax
"This new functionality will replace the Enigmail add-on, which will continue
to be supported until Thunderbird 68 end of life, in the Fall of 2020."

------
bananamerica
Every time I try to set up an email client I end up going back to gmail.com.
What are the advantages of the hassle? They never seem to do what I want them
to.

