[opensuse] Re: [opensuse-factory] Thunderbird 78 and encryption status
Hi, Am 14.09.20 um 20:53 schrieb Martin Wilck:
Q: "I need to use both GnuPG and Thunderbird in parallel, can I synchronize my keys?" A: "No."
Q: "How is my personal key protected?" A: "At the time you import your personal key into Thunderbird, we unlock it, and protect it with a different password, that is automatically (randomly) created. [..] You should use the Thunderbird feature to set a Master Password. Without a master password, your OpenPGP keys in your profile directory are unprotected."
These two answers prove to me that this feature isn't production-ready. Protecting one of the most important items for personal privacy (the GPG secret key) with just the thunderbird master password sounds like a joke. In general, not relying on gpg strikes me as a bad idea, as that's what allows sharing the same set of keys between different applications. And being unable to share or even synchronize keys with the de-facto-standard PGP encryption software seems - dumb, sorry.
It's not your fault. But perhaps let it sit in the mozilla repo for some more time.
what I understood it was not a light decision to implement it like this. There was basically not much choice from what I know. The Mozilla platform does not allow that deep integration with the system anymore (with the removal of legacy extensions to webextensions only). Integrating or linking to GPG components then again would have been a platform specific one and also apparently license wise not really an option. Just waiting most likely won't change the situation because of that. For certain usecases a bit of GPG support is still available: https://wiki.mozilla.org/Thunderbird:OpenPGP:Smartcards Wolfgang -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Well it works for me Thunderbird 78.2.2 out of Information for package MozillaThunderbird: ------------------------------------------- Repository : openSUSE BuildService - Mozilla Name : MozillaThunderbird Version : 78.2.2-lp151.3.1 Arch : x86_64 Vendor : obs://build.opensuse.org/mozilla Installed Size : 208.5 MiB Installed : Yes Status : up-to-date which I'm sure someone will bitch and moan about it bot being the distribution repository. There was a 'DUH?" time when nothing happened but then I upgraded enigmail to 2.2.2 and restarted T'Bird and magic started happening. Well 'magic' in the form a wizard that converted all my PGP signatures, presumably reading them into, integrating them into and boating the size of T'Bird. Can I now remove enigmail? Restarted T'Bird out of paranoid and tried it in correspondence with a friend who doesn't use Linux. we tried both encrypted and just signed in both directions. It works but it is strange. It is strange in that I never was asked for a passphrase. It is strange in that the only indication that the message was encrypted or signed is an icon in the top right-hand corner. if you click on the icon you get details and can drill down to see what key is being used. Sending you are not offered a choice of key. My correspondent was surprised at that, so he generated a new key and sent it and I verified it, and peeked to see that, yes, T'Bird knew about it, but next time round T'Bird still insisted on using the oldest signed key. Again not offering me a choice of which key to use. I haven't tried using the external version of GPG yet. -- Your eyes are weary from staring at the CRT. You feel sleepy. Notice how restful it is to watch the cursor blink. Close your eyes. The opinions stated above are yours. You cannot imagine why you ever felt otherwise. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 17/09/2020 13.29, Anton Aylward wrote:
Well it works for me Thunderbird 78.2.2 out of
...
Restarted T'Bird out of paranoid and tried it in correspondence with a friend who doesn't use Linux. we tried both encrypted and just signed in both directions. It works but it is strange. It is strange in that I never was asked for a passphrase.
It doesn't if you have not set a master password for TB itself, I understand.
It is strange in that the only indication that the message was encrypted or signed is an icon in the top right-hand corner. if you click on the icon you get details and can drill down to see what key is being used. Sending you are not offered a choice of key. My correspondent was surprised at that, so he generated a new key and sent it and I verified it, and peeked to see that, yes, T'Bird knew about it, but next time round T'Bird still insisted on using the oldest signed key. Again not offering me a choice of which key to use.
I haven't tried using the external version of GPG yet.
-- Cheers / Saludos, Carlos E. R. (from 15.1 x86_64 at Telcontar)
On 9/17/20 6:53 AM, Carlos E. R. wrote:
On 17/09/2020 13.29, Anton Aylward wrote:
Well it works for me Thunderbird 78.2.2 out of
...
Restarted T'Bird out of paranoid and tried it in correspondence with a friend who doesn't use Linux. we tried both encrypted and just signed in both directions. It works but it is strange. It is strange in that I never was asked for a passphrase.
It doesn't if you have not set a master password for TB itself, I understand.
It is strange in that the only indication that the message was encrypted or signed is an icon in the top right-hand corner. if you click on the icon you get details and can drill down to see what key is being used. Sending you are not offered a choice of key. My correspondent was surprised at that, so he generated a new key and sent it and I verified it, and peeked to see that, yes, T'Bird knew about it, but next time round T'Bird still insisted on using the oldest signed key. Again not offering me a choice of which key to use.
I haven't tried using the external version of GPG yet.
After you import you keys with the enigmail helper, be aware of: https://support.mozilla.org/en-US/kb/openpgp-thunderbird-howto-and-faq#w_i-n... I need to use both GnuPG and Thunderbird in parallel, can I synchronize my keys? No. At this time, Thunderbird uses its own copy of keys, and doesn't support synchronizing keys with GnuPG. The exception is the mechanism offered for smartcards, which could be used to use the personal keys managed by GnuPG. How is my personal key protected? At the time you import your personal key into Thunderbird, we unlock it, and protect it with a different password, that is automatically (randomly) created. The same automatic password will be used for all OpenPGP secret keys managed by Thunderbird. You should use the Thunderbird feature to set a Master Password. Without a master password, your OpenPGP keys in your profile directory are unprotected. -- David C. Rankin, J.D.,P.E.
participants (4)
-
Anton Aylward -
Carlos E. R. -
David C. Rankin -
Wolfgang Rosenauer