Securing Thunderbird email with OpenPGP
Email is commonly used in business today, yet only a small percentage of users take the time to guarantee their email is sent in a secure and confidential manner. If you're not part of that elite group, read on to learn how to setup OpenPGP with the Mozilla Thunderbird mail component. OpenPGP is a patent-free encryption scheme based on the same security architecture as the commercial version of PGP, which has been available since the early 90's. Thunderbird uses OpenPGP through the GnuPG implementation -- developed by the Free Software Foundation -- for interpreting and sending digitally signed and encrypted messages. The first step in setting up Thunderbird with OpenPGP is to have GnuPG installed on your system. The majority of Linux distros include this package in their official release. Query for it on your system be entering the following command: which gpg. If it's not found, or if you are using a different operating system like Windows or MAC, then you will need to download and install it. The cornerstone to GnuPG's security -- and hence OpenPGP -- are key pairs. Made up of a private and a public key, they are used throughout the security loop by both sender and receiver, as we will observe in the rest of this article.
I have a gpg-key since five years now. But despite two geeks, nobody is willing to send me encrypted mail.
I think, encryption has to be made a lot easier. There must be no command line interface to generate keys. Also, the enigmail GUI is far too complicated to be accepted by the average user. There should be no mention of public and private keys. The user should be prompted in the first run to enter a pass phrase -- the key generation can run in background then. Also the export of the public key and the import of needed public keys should work silently.
The second point is the plugin itself. While Apple Mail has a plugin that is really easy to maintain, there should be no plugin at all. Nobody I know (except me and the two geeks mentioned above) is downloading plugins for mail.
Another point is mobility. People working on different computers need their private key on all of them. But it might be unsafe to store the private key in the office. A breakthrough would be the availability of smartcard readers on all computers and smartcard support in the encryption software.
I know that the problem is manpower, and I also don't have the time to contribute. This is more a comment on what is needed to bring encryption to the masses than a rant to the enigmail people. For myself, I'm really happy that enigmail exists.Comment by daniel. at January 11, 2005 10:54 AM | Permalink
Offering my not no humble opinion.
x.509 encryption is handled beautifully in Thunderbird, much less kludgy. Almost transparent if you are using a trusted CA, like Thawte or Verisign.
Securely storing private keys is the single biggest problem facing Public-Private key encryption, and you are right smartcards are the solution to this. But after testing several solutions, USB based smart cards like the Aladdin eToken or the SafeNet (formerly Rainbow) iKeys are the only way to solve these problems currently in any way that normal AOL users stand anychance of using it.Comment by Alaric at March 26, 2005 06:08 AM | Permalink