Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Dear Posteo users,
- Dear Thunderbird users and interested parties,
- We have a security notice for everyone who uses Thunderbird or the encryption
- add-on Enigmail.
- Our goal is, that popular open source-solutions are becoming more secure.
- Hence, last autumn we entered into a cooperation with Mozilla's SOS Fund to
- commission a security audit of Thunderbird with Enigmail. This was the first
- security audit for Enigmail ever.
- The goal of the audit was to identify vulnerabilities in the tested software
- and to make the software sustainably safer. The current audit showed multiple
- vulnerabilities. The Enigmail developers have already fixed all discovered
- problems. Some of the security issues have already been fixed in Thunderbird,
- as well - but most improvements will only be available with future versions of
- Thunderbird. Beyond those vulnerabilities there is, however, a problem within
- the architecture of the Thunderbird add-on system.
- All Thunderbird users with all providers are affected, including Gmail,
- Outlook.com or Yahoo.
- We are asking all Thunderbird users and Enigmail users to carefully read our
- security recommendations in this article. If you follow our security
- recommendations, you will already communicate more secure.
- 24 days, 8 security researchers, 22 vulnerabilities
- The thorough audit of Thunderbird and Enigmail in autumn 2017 was done by
- independent security researchers (Cure53). The audit was financed in equal
- parts by Posteo and the Mozilla SOS Fund. The project took 24 days and was
- conducted by a team of 8 researchers. The test covered the fields "Incoming
- Emails with PGP Signature / PGP Encryption", "Incoming html Emails", "Key
- Generation & Crypto Setup", "Calendar, RSS and other features with Rich-Text
- Usage" as well as "Default Settings".
- In total 22 security relevant vulnerabilities have been discovered, 3 were
- classified as "critical" and 5 as "high". The developers of Thunderbird and
- Enigmail were involved in the audit and immediately informed after the
- security audit.
- The security researchers summarize the conclusions in their report as follows:
- "A detailed look at the implementations of both Thunderbird and Enigmail
- revealed a high prevalence of design flaws, security issues and bugs. (...) In
- short, secure communications may not be considered possible under the current
- design and setup of this compound."
- A critical classification was - among others - given to Engimail due to the
- possibility to fake signatures and identities. Additionally the encrypted
- communication of users can be intercepted by third parties and could be
- compromised further on under certain conditions. The Enigmail developers have
- already fixed all identified vulnerabilities and provided a new Enigmail
- version (1.9.9). We would like to thank Enigmail for their work.
- <https://addons.mozilla.org/de/thunderbird/addon/enigmail/>
- However, Enigmail relies on Thunderbird, which will receive many of the
- improvements only in future versions.
- Thunderbird add-on architecture puts your data at risk
- This Spring, architectural vulnerabilities in Firefox were confirmed as
- part of a Posteo audit. We then presumed these architectural vulnerabilties
- also in Thunderbird, which the current audit confirms:
- The add-on architecture of Thunderbird allows an attacker to obtain your email
- communication through compromised add-ons. The add-ons are insufficiently
- separated and have access to the content in Thunderbird. This includes end-to-
- end encrypted communication: Even a users private PGP key can fall into the
- hands of an attacker. Here, even Enigmail cannot improve the situation. It is
- even possible for an attacker to use compromised Thunderbird add-ons and gain
- access to parts of your device and your sensitive data.
- The report advises caution: "Assuming that a vulnerable or rogue extension is
- installed, an attacker acquires multiple ways of getting access to private key
- material and other sensitive data. (...) Henceforth, users are asked to be
- aware that extensions in Thunderbird are as powerful as executables, which
- means that they should be treated with adequate caution and care."
- Firefox has rebuilt the architecture in the current version 57. For
- Thunderbird it is not foreseeable, when the add-on architecture will be
- changed.
- RSS feeds can act as spies
- The audit discovered profound security problems in connections with RSS feeds,
- which are expected to be fixed entirely no earlier than Thunderbird version
- 59. Due to security reasons, the actual attack will not be described in this
- post. Usage of RSS feeds in Thunderbird can endanger and reveal your entire
- communication and other sensitive data.
- Please consider the following security recommendations:
- For all Thunderbird users:
- - Update Thunderbird to the latest versions as soon as they are available. The
- new versions will remove several vulnerabilities, revealed in this audit.
- - Use Thunderbird preferably without or at least with verified add-ons, until
- the architecture of Thunderbird has been rebuilt.
- - Do not use RSS feeds in Thunderbird for now. There are critical security
- problems, threatening your entire communication.
- - Do not accidentally install addons through phishing, since rogue addons can
- be used to attack you.
- If you follow these security recommendations, your communication will be
- notedly more secure.
- For Enigmail users:
- - Update Enigmail immediately to the new version 1.9.9. This update removes
- all vulnerabilities identified in this audit.
- - Update Thunderbird to the latest versions as soon as they are available. The
- new versions will remove several vulnerabilities, revealed in this audit.
- - Do not install any other add-on aside of Enigmail until the add-on
- architecture of Thunderbird has been rebuilt.
- - Do not use RSS feeds in Thunderbird for now. There are critical security
- problems, threatening your entire communication.
- - Do not accidentally install add-ons through phishing, since rogue add-ons
- can be used to attack you.
- If you follow these security recommendations, your communication is notedly
- more secure.
- Audit report to be published after vulnerabilities have been fixed
- Due to security considerations we will publish the report after all identified
- vulnerabilities have been fixed, since the report describes the researchers
- successful attacks in detail. However, the report was made available to the
- participating developers, Posteo and Mozilla.
- Posteo supports open source software
- Posteo supports open source software with transparent code for security
- reasons. We are convinced, that transparent code is essential for the security
- and democratic control of the internet. At any time, independent experts can
- identify vulnerabilities and backdoors, making software more secure
- step-by-step. With intransparent code there is a need to trust each provider's
- or developer's security statements, which are not reviewable by the public.
- For us, this is not an option.
- Open source projects need your support
- - Donate to the Thunderbird project to support further development of
- Thunderbird:
- <https://donate.mozilla.org/en/thunderbird/>
- - Donate to the Enigmail developers to support further development of
- Enigmail:
- <https://www.enigmail.net/index.php/en/home/donations>
- After the audit: what the participants say
- The Enigmail developer Patrick Brunschwig extends his thanks: "Enigmail is one
- of the most widely used tool for OpenPGP email encryption. Yet it took 16(!)
- years of development until the first security audit was performed. It was more
- than overdue, and I would like to thank Posteo for taking the initiative and
- co-financing an audit report together with the Mozilla Foundation. Not very
- surprising for such an old project, the audit report revealed a number of
- important issues that were addressed now."
- Mozilla sees the audit as a success: "Mozilla's Secure Open Source Fund, a
- MOSS program, provides code-read security audits for key pieces of open source
- software. We are very pleased to have been able to collaborate with Posteo to
- audit one of the main software combinations used for secure email, and are
- glad that users' data is safer and more secure as a result."
- Dr. Mario Heiderich from Cure53 hopes for a reopening of the bug bounty
- program of Thunderbird: "In closing, once all relevant issues reported here by
- Cure53 have been fixed, it should be strongly considered to re-establish a bug
- bounty program for Thunderbird. This approach would help keeping the security
- level at an acceptable level instead of allowing it to deteriorate and move
- towards a stale state of datedness."
- Patrik Löhr from Posteo asks for changes in the add-on architecture of
- Thunderbird: "We want to make open source software and end-to-end encryption
- more secure: security audits are the best way to achieve this aim. It is a
- success, that all discovered vulnerabilities in Enigmail have already been
- resolved. On the other hand, the add-on architecture in Thunderbird requires
- more work to achieve an up-to-date secure setup. Thunderbird is an essential
- tool for many people who work with email and communicate with end-to-end
- encryption. Therefore, the effort pays off."
- Best regards,
- The Posteo team
Add Comment
Please, Sign In to add comment