Week 13 email encryption

@alison, it felt weird that you would be relatively negative about Thunderbird and GPG, but then assign us to experiment with these technologies. That’s the context for the thoughts below.

Though Mozilla no longer pays for Thunderbird to be developed, Mozilla Foundation owns the project and it is actively developed. It probably has a lot more contributors than most open source projects. Think of the Heartbleed SSL vulnerability. SSL was being maintained by one person. A lot more folks contribute to Thunderbird. One of our possible assignments this week was make a Riseup email account. Riseup’s documentation mentions Thunderbird. A number of possible assignments are about experimenting with GPG. FSF’s GPG tutorial recommends Thunderbird. @alison implied that she uses Thunderbird. I use Thunderbird everyday. Point being Thunderbird is okay. When you do first set it up all the options can be intimidating but typically it just works. If your threat model is serious–get serious about the settings. If you wanted to experiment with a different client you could try Claws or Sylpheed. I have a hunch that experimenting with Claws or Sylpheed will make anyone appreciate the robustness of Thunderbird. If your on GNU/Linux, there’s Evolution which is actively maintained and very much equivalent to Thunderbird. Claws, Sylpheed, Evolution, and Thunderbird all have GPG integration.

Once set up in a client like Thunderbird, I’ve found GPG is easy to use. Not that getting there is super easy if you don’t already have a working knowledge of computers/email but the documentation is not esoteric. Doing it at least once can help illuminate how encryption works. I agree that was not created for everyday users and this is problematic. The public display of contacts is very problematic. Is this not doxing by design? I only talk about GPG during long privacy trainings. With the caveat that I may have done poor job explaining it, no attendee has every taken me up on the offer to exchange a GPG encrypted email (my fingerprint is D2FB 800F CDF1 6A3F E63B 6498 C953 2D42 8A9B 3AEF). Though I use Thunderbird everyday, I have only exchanged GPG encrypted emails with two people: @alison and my partner. @alison said Tor Project uses GPG for financial docs. So it works, it is just sub-optimal.

I concur there are some aspects (or pockets) to the culture that GPG emerged from that are toxic: elitism disguised as meritocracy, a ‘hack or be hacked’ mentality that ignores the rights of others, and (sometimes) misogyny. Though I have benefited from privileges society unjustly affords me, I too find/found those aspects of that culture intimidating and gross.

I’ll plead the fifth as to having any orphan keys floating around out there.

I understand, but I asked you to experiment with them because it is important that you understand what the most popular and trusted email encryption tools are, while also knowing why I think they’re far from perfect.

Thunderbird is okay because it’s the best we have given the other options.

That’s my issue with the entire GPG environment, from tools to setup to everyday use.

Basically yeah, including dates that you were with that person if you signed their key.

Yep yep yep

LOL. I have at least one that I lost the revocation certificate for.

…and that’s why I set up a Riseup email instead of working on Thunderbird or GPG:grin: I’m currently only giving workshops for patrons, and given who generally attends, I don’t think it will be worthwhile to present something that is not designed for everyday users. When I plan workshops for librarians down the road I might explore more thoroughly!

1 Like

And for most regular-skill-level users, I think that Gmail’s security features are actually quite good.

1 Like

I have a question… I won’t say dumb, but… If I setup a riseup email account, and then use a client to to access & hold the messages (per this line on their site: “If you need more space, consider downloading your email using a mail client”), does that do anything negatively (privacy/security wise)? Is a client more than a place where the items come to live? Could a client expose things in a way that I’m not thinking of? In the past, I have used Thunderbird as a place to store messages of old/unused accounts, but I haven’t used it as a place I’m actively sending/receiving messages.

Another way to ask this question is “should I use IMAP or POP3?”

IMAP = messages are delivered to your mail server (mail.riseup.net or whatever) and they stay on that server unless you physically delete them

POP = messages are delivered from your mail server, then once you download them to your email client, they are deleted from your mail server

More on IMAP and POP https://support.office.com/en-US/article/What-are-IMAP-and-POP-ca2c5799-49f9-4079-aefe-ddca85d5b1c9

As for the privacy/security implications – it cuts both ways!

IMAP: Riseup’s servers are trustworthy and that’s good, but web browsers come with privacy/security risks, and using IMAP means you’re probably accessing it from webmail in the browser (you could ALSO use Thunderbird with IMAP, but then you’d have copies in your Thunderbird client AND on Riseup’s servers)

POP: You don’t have to trust anybody’s server, but you do have to trust your own computer. This means having a strong computer password, keeping software up to date, avoiding malware and all that.

What I do: I have three email accounts, and two of those use Riseup’s servers. I use POP for both and regularly backup my downloaded mail and delete the old copies from Thunderbird. I do use IMAP on the third account, but it’s a small mail server controlled by a friend with a strong background in security. I would trust Riseup’s IMAP too, it’s just that they don’t offer a lot of space!


Follow up–Protonmail does not support POP3. IMAP is only available to paid users. IMAP only works with an extra piece of software called ProtonBridge that does the encrypting/decrypting. This does not have a Linux version at the time of writing but they planned to release one in “early 2018.”