On Tue 2018-10-16 12:05:33 +0200, Carsten Schoenert wrote: > yes, the problem here is Enigmail, not Thunderbird! But I don't see that > this as a vulnerability per se from a security perspective. > And you still can install the Mozilla AddOns manually into FF and TB. > It's a loosing of comfort and easy usage of the system provided > packages, but not more for the typical single user cases on a machine or > laptop.
fwiw, the version of enigmail that you get from the Mozilla addons store has what i consider to be pretty serious problems: * it downloads and executes binaries from the web on behalf of the user (its "pEp" mode) without any form of verification beyond https certificate validation. * it contains a bundle of OpenPGP.js, which doesn't appear to be easily buildable (or modifiable) from source, so it's not free software in the sense that debian cares about. I don't think we want to encourage people to do that. > And happily dkg is taking this challenge really seriously! Thanks for the vote of confidence, Carsten! :) > And being not able to send automated encrypted email is not a > vulnerability as you still can use gpg on the command line and encrypt > your content obviously with less comfort, and it's your decision. And > again, you can still install Enigmail from upstream. So hey, that's life. fwiw, i don't consider encryption from the command line to be a substitute for proper integration with your mail user agent. If you do that, you're also likely forcing your peers to do the same thing, and it's really easy to screw it up on one side or the other. So this situation really is a security issue for some people, who are losing the capacity to send and receive encrypted e-mail. There are people who, if their mail is forced back into cleartext, run risks with potential consequences ranging from loss of employment to loss of liberty or even loss of life. I really hope debian can get this sorted out for the next stable point release at the latest. thanks to everyone for their constructive help getting it done! --dkg
signature.asc
Description: PGP signature
