|
Size: 4774
Comment: clarify recommendation for conceiled subjectsthat they are only needed when needed
|
Size: 6738
Comment: ...: readd some information
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 37: | Line 37: |
| === Switch off the dots in subjects (incompatible subject header encryption) | === Switch off replacing the subject with three dots |
| Line 39: | Line 39: |
| Unfortunately Thunderbird implemented an experimental way to try to protect the subject header line of an email which is not backwards compatible but enabled by default. |
Unfortunately Thunderbird implements an experimental (non standard) way that tries to protect the subject header line of an email which is not backwards compatible but enabled by default. |
| Line 42: | Line 42: |
| Thunderbird replaces the subject of encrypted mails with three dots to protect users from accidentally disclosing sensitive information. |
|
| Line 43: | Line 45: |
| where the sender added real information. | where the sender added real information. Beside that loss of information, this also breaks message filtering and searching on the server |
| Line 45: | Line 48: |
| We recommend to switch this off. That can be done with a hidden option since Thunderbird 78.5.1, see https://support.mozilla.org/en-US/questions/1304451#answer-1375985 . |
Thunderbird contains a non-standard mechanism to encrypt the subject, but even then the original subject often is lost, e.g. when using drafts, printing, and probably other situations. We recommend to switch this off. One way that Thunderbird documented is using the [[https://support.mozilla.org/en-US/kb/config-editor]]Config Editor]] by searching for the following entries and changing them from true to false: * mail.identity.default.protectSubject * mail.identity.id1.protectSubject * and if you have multiple identities configured: id2, id3, ... |
| Line 71: | Line 83: |
| ===How to enable encryption ====Result after completing this instruction {{thunderbird_enable_encryption_result.png}} ====1. Click on the account name and then on "End-to-end Encryption" {{thunderbird_enable_encryption_1.png}} ====2. Click on the button "Add Key..." on the right side of the window. {{thunderbird_enable_encryption_2.png}} ====3. A window will be opened, where you can choose, if you want to import a key or to create a new key pair. In this instruction we explain how to import an existing key. For that click on the option "Import an existing OpenPGP Key" and on the button "Continue". {{thunderbird_enable_encryption_3.png}} ====4. In the next window click on the button "Select File to Import...". {{thunderbird_enable_encryption_4.png}} ====5. A window with the file manager appears. Here you have to navigate to the folder, where your key is in. Then select it and click on "Open". {{thunderbird_enable_encryption_5.png}} ====6. Confirm with a click on "Continue". {{thunderbird_enable_encryption_6.png}} ====7. Enter the password for the key and click on "Sign in". {{thunderbird_enable_encryption_7.png}} ====8. Confirm with a click on "Continue". {{thunderbird_enable_encryption_8.png}} ====9. Now you have to select the imported key by clicking on it. {{thunderbird_enable_encryption_9.png}} |
Thunderbird (since version 78 first released 2020-07) implements its own OpenPGP/MIME support, using the libraries RNP (https://github.com/rnpgp/rnp) and Botan.
The main advantage for Thunderbird users is that they do not have to install an additional application like Gpg4win on Windows. The main drawback is that Thunderbird has its own handling of key material which is separated from the rest of the operating system and other applications that are using GnuPG for example. Some abilities that GnuPG provides are missing, e.g. handling of hardware tokens like smardcards or usb devices.
Thunderbird can still be configured to use a system's GnuPG installation for private key operations see https://wiki.mozilla.org/Thunderbird:OpenPGP:Smartcards .
The Thunderbird people have an FAQ about the new OpenPGP support.
History
Until version 68 (last release 2020-10), Thunderbird did not have OpenPGP/MIME functionality included. The external extension Enigmail provided it, which used GnuPG. A necessary and large change in how browser extensions can be implemented made Enigmail's technical implementation unfit for newer versions. See the explanation of Enigmail's maintainer. Enigmail's support for this version stopped 2021-10-01.
It is unknown in public what the main reasons for doing a new implementation instead of using GnuPG (and Gpg4win) were. One Mozilla developer wrote about licensing concerns, but other people have pointed out that GPGME is GNU LGPL and the GNU GPL of GnuPG itself allows for a combined distribution of Thunderbird and GnuPG.
Previously in 1999 and 2005, Mozilla rejected to include (already implemented) OpenPGP/MIME functionality because they were preferring S/MIME according to Werner Koch.
Hints
Switch off replacing the subject with three dots
Unfortunately Thunderbird implements an experimental (non standard) way that tries to protect the subject header line of an email which is not backwards compatible but enabled by default.
Thunderbird replaces the subject of encrypted mails with three dots to protect users from accidentally disclosing sensitive information. So many other email clients will just see three dots like ... as subject, where the sender added real information. Beside that loss of information, this also breaks message filtering and searching on the server
Thunderbird contains a non-standard mechanism to encrypt the subject, but even then the original subject often is lost, e.g. when using drafts, printing, and probably other situations.
We recommend to switch this off. One way that Thunderbird documented is using the https://support.mozilla.org/en-US/kb/config-editorConfig Editor]] by searching for the following entries and changing them from true to false:
- mail.identity.default.protectSubject
- mail.identity.id1.protectSubject
- and if you have multiple identities configured: id2, id3, ...
Transport information in a decentral network - just like the writing on the outside of a postal mail envelope - cannot be protected in principle. When reflecting on this, if you need the confidentiality chose a subject that is plausible in context, but without sensitive contents, to best veil potential unwanted observers. (Your thinking is right: The more sensitive this is, the more you have to build up a plausible context for your unavoidable traces first.)
Details
For version 91 (checked 2021-12-02) the FAQ still states that the encryption cannot be disabled in the GUI: https://support.mozilla.org/en-US/kb/openpgp-thunderbird-howto-and-faq#w_can-i-disable-the-encryption-of-the-email-subject
For the reasoning why Thunderbird's implementation is suboptional, see January to March 2021 on gnupg-user, e.g.
- https://lists.gnupg.org/pipermail/gnupg-users/2021-February/064862.html
- https://lists.gnupg.org/pipermail/gnupg-users/2021-March/064981.html
- https://lists.gnupg.org/pipermail/gnupg-users/2021-February/064858.html
In Thunderbird Daily (version 97.0a1, 2021-12-09) it is possible to disable the encryption of subjects in the GUI: attachment:subject_encryption_thunderbird.png
Instructions
How to enable encryption
Result after completing this instruction
1. Click on the account name and then on "End-to-end Encryption"
2. Click on the button "Add Key..." on the right side of the window.
3. A window will be opened, where you can choose, if you want to import a key or to create a new key pair. In this instruction we explain how to import an existing key. For that click on the option "Import an existing OpenPGP Key" and on the button "Continue".
4. In the next window click on the button "Select File to Import...".
5. A window with the file manager appears. Here you have to navigate to the folder, where your key is in. Then select it and click on "Open".
6. Confirm with a click on "Continue".
7. Enter the password for the key and click on "Sign in".
8. Confirm with a click on "Continue".
9. Now you have to select the imported key by clicking on it.
How to use WKD
1. Open the window to compose an email
2. Enter an email address and click on "security".
3. Select the address, whose key is missing and click on "Manage keys for selected recipient..."
4. Click on "Discover new or updated key"
5. Choose, if you want to accept the key and click on "OK".
