Dear Posteo users, Dear Thunderbird users and interested parties,We have a

1. Dear Posteo users,
2. Dear Thunderbird users and interested parties,
3.  
4. We have a security notice for everyone who uses Thunderbird or the encryption
5. add-on Enigmail.
6.  
7. Our goal is, that popular open source-solutions are becoming more secure.
8. Hence, last autumn we entered into a cooperation with Mozilla's SOS Fund to
9. commission a security audit of Thunderbird with Enigmail. This was the first
10. security audit for Enigmail ever.
11.  
12. The goal of the audit was to identify vulnerabilities in the tested software
13. and to make the software sustainably safer. The current audit showed multiple
14. vulnerabilities. The Enigmail developers have already fixed all discovered
15. problems. Some of the security issues have already been fixed in Thunderbird,
16. as well - but most improvements will only be available with future versions of
17. Thunderbird. Beyond those vulnerabilities there is, however, a problem within
18. the architecture of the Thunderbird add-on system.
19.  
20. All Thunderbird users with all providers are affected, including Gmail,
21. Outlook.com or Yahoo.
22.  
23. We are asking all Thunderbird users and Enigmail users to carefully read our
24. security recommendations in this article. If you follow our security
25. recommendations, you will already communicate more secure.
26.  
27.  
28. 24 days, 8 security researchers, 22 vulnerabilities
29.  
30. The thorough audit of Thunderbird and Enigmail in autumn 2017 was done by
31. independent security researchers (Cure53). The audit was financed in equal
32. parts by Posteo and the Mozilla SOS Fund. The project took 24 days and was
33. conducted by a team of 8 researchers. The test covered the fields "Incoming
34. Emails with PGP Signature / PGP Encryption", "Incoming html Emails", "Key
35. Generation & Crypto Setup", "Calendar, RSS and other features with Rich-Text
36. Usage" as well as "Default Settings".
37.  
38. In total 22 security relevant vulnerabilities have been discovered, 3 were
39. classified as "critical" and 5 as "high". The developers of Thunderbird and
40. Enigmail were involved in the audit and immediately informed after the
41. security audit.
42.  
43. The security researchers summarize the conclusions in their report as follows:
44. "A detailed look at the implementations of both Thunderbird and Enigmail
45. revealed a high prevalence of design flaws, security issues and bugs. (...) In
46. short, secure communications may not be considered possible under the current
47. design and setup of this compound."
48.  
49. A critical classification was - among others - given to Engimail due to the
50. possibility to fake signatures and identities. Additionally the encrypted
51. communication of users can be intercepted by third parties and could be
52. compromised further on under certain conditions. The Enigmail developers have
53. already fixed all identified vulnerabilities and provided a new Enigmail
54. version (1.9.9). We would like to thank Enigmail for their work.
55. <https://addons.mozilla.org/de/thunderbird/addon/enigmail/>
56. However, Enigmail relies on Thunderbird, which will receive many of the
57. improvements only in future versions.
58.  
59.  
60. Thunderbird add-on architecture puts your data at risk
61.  
62. This Spring, architectural vulnerabilities in Firefox were confirmed as
63. part of a Posteo audit. We then presumed these architectural vulnerabilties
64. also in Thunderbird, which the current audit confirms:
65.  
66. The add-on architecture of Thunderbird allows an attacker to obtain your email
67. communication through compromised add-ons. The add-ons are insufficiently
68. separated and have access to the content in Thunderbird. This includes end-to-
69. end encrypted communication: Even a users private PGP key can fall into the
70. hands of an attacker. Here, even Enigmail cannot improve the situation. It is
71. even possible for an attacker to use compromised Thunderbird add-ons and gain
72. access to parts of your device and your sensitive data.
73.  
74. The report advises caution: "Assuming that a vulnerable or rogue extension is
75. installed, an attacker acquires multiple ways of getting access to private key
76. material and other sensitive data. (...) Henceforth, users are asked to be
77. aware that extensions in Thunderbird are as powerful as executables, which
78. means that they should be treated with adequate caution and care."
79.  
80. Firefox has rebuilt the architecture in the current version 57. For
81. Thunderbird it is not foreseeable, when the add-on architecture will be
82. changed.
83.  
84.  
85. RSS feeds can act as spies
86.  
87. The audit discovered profound security problems in connections with RSS feeds,
88. which are expected to be fixed entirely no earlier than Thunderbird version
89. 59. Due to security reasons, the actual attack will not be described in this
90. post. Usage of RSS feeds in Thunderbird can endanger and reveal your entire
91. communication and other sensitive data.
92.  
93.  
94. Please consider the following security recommendations:
95.  
96. For all Thunderbird users:
97.  
98. - Update Thunderbird to the latest versions as soon as they are available. The
99. new versions will remove several vulnerabilities, revealed in this audit.
100. - Use Thunderbird preferably without or at least with verified add-ons, until
101. the architecture of Thunderbird has been rebuilt.
102. - Do not use RSS feeds in Thunderbird for now. There are critical security
103. problems, threatening your entire communication.
104. - Do not accidentally install addons through phishing, since rogue addons can
105. be used to attack you.
106.  
107. If you follow these security recommendations, your communication will be
108. notedly more secure.
109.  
110. For Enigmail users:
111.  
112. - Update Enigmail immediately to the new version 1.9.9. This update removes
113. all vulnerabilities identified in this audit.
114. - Update Thunderbird to the latest versions as soon as they are available. The
115. new versions will remove several vulnerabilities, revealed in this audit.
116. - Do not install any other add-on aside of Enigmail until the add-on
117. architecture of Thunderbird has been rebuilt.
118. - Do not use RSS feeds in Thunderbird for now. There are critical security
119. problems, threatening your entire communication.
120. - Do not accidentally install add-ons through phishing, since rogue add-ons
121. can be used to attack you.
122.  
123. If you follow these security recommendations, your communication is notedly
124. more secure.
125.  
126.  
127. Audit report to be published after vulnerabilities have been fixed
128. Due to security considerations we will publish the report after all identified
129. vulnerabilities have been fixed, since the report describes the researchers
130. successful attacks in detail. However, the report was made available to the
131. participating developers, Posteo and Mozilla.
132.  
133. Posteo supports open source software
134. Posteo supports open source software with transparent code for security
135. reasons. We are convinced, that transparent code is essential for the security
136. and democratic control of the internet. At any time, independent experts can
137. identify vulnerabilities and backdoors, making software more secure
138. step-by-step. With intransparent code there is a need to trust each provider's
139. or developer's security statements, which are not reviewable by the public.
140. For us, this is not an option.
141.  
142.  
143. Open source projects need your support
144.  
145. - Donate to the Thunderbird project to support further development of
146. Thunderbird:
147. <https://donate.mozilla.org/en/thunderbird/>
148. - Donate to the Enigmail developers to support further development of
149. Enigmail:
150. <https://www.enigmail.net/index.php/en/home/donations>
151.  
152.  
153. After the audit: what the participants say
154.  
155. The Enigmail developer Patrick Brunschwig extends his thanks: "Enigmail is one
156. of the most widely used tool for OpenPGP email encryption. Yet it took 16(!)
157. years of development until the first security audit was performed. It was more
158. than overdue, and I would like to thank Posteo for taking the initiative and
159. co-financing an audit report together with the Mozilla Foundation. Not very
160. surprising for such an old project, the audit report revealed a number of
161. important issues that were addressed now."
162.  
163. Mozilla sees the audit as a success: "Mozilla's Secure Open Source Fund, a
164. MOSS program, provides code-read security audits for key pieces of open source
165. software. We are very pleased to have been able to collaborate with Posteo to
166. audit one of the main software combinations used for secure email, and are
167. glad that users' data is safer and more secure as a result."
168.  
169. Dr. Mario Heiderich from Cure53 hopes for a reopening of the bug bounty
170. program of Thunderbird: "In closing, once all relevant issues reported here by
171. Cure53 have been fixed, it should be strongly considered to re-establish a bug
172. bounty program for Thunderbird. This approach would help keeping the security
173. level at an acceptable level instead of allowing it to deteriorate and move
174. towards a stale state of datedness."
175.  
176. Patrik Löhr from Posteo asks for changes in the add-on architecture of
177. Thunderbird: "We want to make open source software and end-to-end encryption
178. more secure: security audits are the best way to achieve this aim. It is a
179. success, that all discovered vulnerabilities in Enigmail have already been
180. resolved. On the other hand, the add-on architecture in Thunderbird requires
181. more work to achieve an up-to-date secure setup. Thunderbird is an essential
182. tool for many people who work with email and communicate with end-to-end
183. encryption. Therefore, the effort pays off."
184.  
185. Best regards,
186.  
187. The Posteo team