a guest Dec 21st, 2017 77 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Dear Posteo users,
  2. Dear Thunderbird users and interested parties,
  4. We have a security notice for everyone who uses Thunderbird or the encryption
  5. add-on Enigmail.
  7. Our goal is, that popular open source-solutions are becoming more secure.
  8. Hence, last autumn we entered into a cooperation with Mozilla's SOS Fund to
  9. commission a security audit of Thunderbird with Enigmail. This was the first
  10. security audit for Enigmail ever.
  12. The goal of the audit was to identify vulnerabilities in the tested software
  13. and to make the software sustainably safer. The current audit showed multiple
  14. vulnerabilities. The Enigmail developers have already fixed all discovered
  15. problems. Some of the security issues have already been fixed in Thunderbird,
  16. as well - but most improvements will only be available with future versions of
  17. Thunderbird. Beyond those vulnerabilities there is, however, a problem within
  18. the architecture of the Thunderbird add-on system.
  20. All Thunderbird users with all providers are affected, including Gmail,
  21. or Yahoo.
  23. We are asking all Thunderbird users and Enigmail users to carefully read our
  24. security recommendations in this article. If you follow our security
  25. recommendations, you will already communicate more secure.
  28. 24 days, 8 security researchers, 22 vulnerabilities
  30. The thorough audit of Thunderbird and Enigmail in autumn 2017 was done by
  31. independent security researchers (Cure53). The audit was financed in equal
  32. parts by Posteo and the Mozilla SOS Fund. The project took 24 days and was
  33. conducted by a team of 8 researchers. The test covered the fields "Incoming
  34. Emails with PGP Signature / PGP Encryption", "Incoming html Emails", "Key
  35. Generation & Crypto Setup", "Calendar, RSS and other features with Rich-Text
  36. Usage" as well as "Default Settings".
  38. In total 22 security relevant vulnerabilities have been discovered, 3 were
  39. classified as "critical" and 5 as "high". The developers of Thunderbird and
  40. Enigmail were involved in the audit and immediately informed after the
  41. security audit.
  43. The security researchers summarize the conclusions in their report as follows:
  44. "A detailed look at the implementations of both Thunderbird and Enigmail
  45. revealed a high prevalence of design flaws, security issues and bugs. (...) In
  46. short, secure communications may not be considered possible under the current
  47. design and setup of this compound."
  49. A critical classification was - among others - given to Engimail due to the
  50. possibility to fake signatures and identities. Additionally the encrypted
  51. communication of users can be intercepted by third parties and could be
  52. compromised further on under certain conditions. The Enigmail developers have
  53. already fixed all identified vulnerabilities and provided a new Enigmail
  54. version (1.9.9). We would like to thank Enigmail for their work.
  55. <>
  56. However, Enigmail relies on Thunderbird, which will receive many of the
  57. improvements only in future versions.
  60. Thunderbird add-on architecture puts your data at risk
  62. This Spring, architectural vulnerabilities in Firefox were confirmed as
  63. part of a Posteo audit. We then presumed these architectural vulnerabilties
  64. also in Thunderbird, which the current audit confirms:
  66. The add-on architecture of Thunderbird allows an attacker to obtain your email
  67. communication through compromised add-ons. The add-ons are insufficiently
  68. separated and have access to the content in Thunderbird. This includes end-to-
  69. end encrypted communication: Even a users private PGP key can fall into the
  70. hands of an attacker. Here, even Enigmail cannot improve the situation. It is
  71. even possible for an attacker to use compromised Thunderbird add-ons and gain
  72. access to parts of your device and your sensitive data.
  74. The report advises caution: "Assuming that a vulnerable or rogue extension is
  75. installed, an attacker acquires multiple ways of getting access to private key
  76. material and other sensitive data. (...) Henceforth, users are asked to be
  77. aware that extensions in Thunderbird are as powerful as executables, which
  78. means that they should be treated with adequate caution and care."
  80. Firefox has rebuilt the architecture in the current version 57. For
  81. Thunderbird it is not foreseeable, when the add-on architecture will be
  82. changed.
  85. RSS feeds can act as spies
  87. The audit discovered profound security problems in connections with RSS feeds,
  88. which are expected to be fixed entirely no earlier than Thunderbird version
  89. 59. Due to security reasons, the actual attack will not be described in this
  90. post. Usage of RSS feeds in Thunderbird can endanger and reveal your entire
  91. communication and other sensitive data.
  94. Please consider the following security recommendations:
  96. For all Thunderbird users:
  98. - Update Thunderbird to the latest versions as soon as they are available. The
  99. new versions will remove several vulnerabilities, revealed in this audit.
  100. - Use Thunderbird preferably without or at least with verified add-ons, until
  101. the architecture of Thunderbird has been rebuilt.
  102. - Do not use RSS feeds in Thunderbird for now. There are critical security
  103. problems, threatening your entire communication.
  104. - Do not accidentally install addons through phishing, since rogue addons can
  105. be used to attack you.
  107. If you follow these security recommendations, your communication will be
  108. notedly more secure.
  110. For Enigmail users:
  112. - Update Enigmail immediately to the new version 1.9.9. This update removes
  113. all vulnerabilities identified in this audit.
  114. - Update Thunderbird to the latest versions as soon as they are available. The
  115. new versions will remove several vulnerabilities, revealed in this audit.
  116. - Do not install any other add-on aside of Enigmail until the add-on
  117. architecture of Thunderbird has been rebuilt.
  118. - Do not use RSS feeds in Thunderbird for now. There are critical security
  119. problems, threatening your entire communication.
  120. - Do not accidentally install add-ons through phishing, since rogue add-ons
  121. can be used to attack you.
  123. If you follow these security recommendations, your communication is notedly
  124. more secure.
  127. Audit report to be published after vulnerabilities have been fixed
  128. Due to security considerations we will publish the report after all identified
  129. vulnerabilities have been fixed, since the report describes the researchers
  130. successful attacks in detail. However, the report was made available to the
  131. participating developers, Posteo and Mozilla.
  133. Posteo supports open source software
  134. Posteo supports open source software with transparent code for security
  135. reasons. We are convinced, that transparent code is essential for the security
  136. and democratic control of the internet. At any time, independent experts can
  137. identify vulnerabilities and backdoors, making software more secure
  138. step-by-step. With intransparent code there is a need to trust each provider's
  139. or developer's security statements, which are not reviewable by the public.
  140. For us, this is not an option.
  143. Open source projects need your support
  145. - Donate to the Thunderbird project to support further development of
  146. Thunderbird:  
  147. <>
  148. - Donate to the Enigmail developers to support further development of
  149. Enigmail:
  150. <>
  153. After the audit: what the participants say
  155. The Enigmail developer Patrick Brunschwig extends his thanks: "Enigmail is one
  156. of the most widely used tool for OpenPGP email encryption. Yet it took 16(!)
  157. years of development until the first security audit was performed. It was more
  158. than overdue, and I would like to thank Posteo for taking the initiative and
  159. co-financing an audit report together with the Mozilla Foundation. Not very
  160. surprising for such an old project, the audit report revealed a number of
  161. important issues that were addressed now."
  163. Mozilla sees the audit as a success: "Mozilla's Secure Open Source Fund, a
  164. MOSS program, provides code-read security audits for key pieces of open source
  165. software. We are very pleased to have been able to collaborate with Posteo to
  166. audit one of the main software combinations used for secure email, and are
  167. glad that users' data is safer and more secure as a result."
  169. Dr. Mario Heiderich from Cure53 hopes for a reopening of the bug bounty
  170. program of Thunderbird: "In closing, once all relevant issues reported here by
  171. Cure53 have been fixed, it should be strongly considered to re-establish a bug
  172. bounty program for Thunderbird. This approach would help keeping the security
  173. level at an acceptable level instead of allowing it to deteriorate and move
  174. towards a stale state of datedness."
  176. Patrik Löhr from Posteo asks for changes in the add-on architecture of
  177. Thunderbird: "We want to make open source software and end-to-end encryption
  178. more secure: security audits are the best way to achieve this aim. It is a
  179. success, that all discovered vulnerabilities in Enigmail have already been
  180. resolved. On the other hand, the add-on architecture in Thunderbird requires
  181. more work to achieve an up-to-date secure setup. Thunderbird is an essential
  182. tool for many people who work with email and communicate with end-to-end
  183. encryption. Therefore, the effort pays off."
  185. Best regards,
  187. The Posteo team
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand