Re: [Enigmail] Enigmail Toolbar
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi Mike, I think that INLINE/MIME, signed/unsigned and blank subject should not depend on each other. That is, having one set or not should not yield other results for another. Users would not expect this (and rather manually set it). We would not want to present Aunt Sally with the empty subject line. It might be worth considering to make this warning optional and switch it off by default indeed. If using PGP it makes sense to set PGP/MIME. If a message is neither signed nor encrypted by Enigmail, PGP/MIME ist not used even if it's set or default. Usual MIME is used then for HTML mails, and plain for plain text mails. Olav - -- The Enigmail Project - OpenPGP Email Security For Mozilla Applications -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: Dies ist eine elektronische Signatur - http://www.enigmail.net/ iQGcBAEBCAAGBQJVFyfQAAoJEKGX32tq4e9WVNgMAJh6blFzSZuFV3ODb/7CxS6V okug8c4L9RsssUjDabUBdDGKpQBhjke/X4yYdlIjY8Je7/XGCeNgzQSnCkvgSq5q H2j9aHWXtlJ3alElrADDV6ITf3Rs4K4vrr5W2iUOUkkia53zQQWSvZg91U4xAbjs qbk1hF/DmCjSb1ecq+P8lOypSblQ6p7gjn30JHd2UOstu66Ho5NNY4j6l8RsEGdb T+Qwc1WiUDR1ZAbdbVK48bbKuu7nfDtYVuwfbOqfiwm96XAaJDfiUDVJtfYeEUrw BKguV0sLWDM+C8xQm0qi4Oe2RjVTeM+E1+f7hq0F0dD7BKZm0IFEPvgsj4iQaypq CilqRa8ese20e0YNB+TZp+RTTJNDwD7Vv7Q0xXDJ2lGA1X6Bp5/t5qZmf/NlQs4s 1vlYJhSe4ymYTFw9lRiO6707ihO7/ey4/5fDkext79tek9VYhK4xvoys3tRheePg PpxnKG8NyJDFZLxPfxKwVO5NXCxIgTu6C3ljMlj4/A== =BBL4 -END PGP SIGNATURE- ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
Re: [Enigmail] Subject line warnings
On 3/28/15 6:31 AM, Mike Acker wrote: On 03/28/2015 07:21 AM, Ron OHara wrote: Hi, In Thunderbird, you are warned if you send an email with a blank Subject.If the message is to be encrypted, best practice is to NOT have a Subject line. The Subject line is not encrypted and thus 'leaks' information. Any ideas on how to: 1 - suppress the Thunderbird warning if Subject is blank and the mail is encrypted 2 - issue a warning (from Enigmail?) if the Subject is NOT blank, and the mail is encrypted. Regards Ron OHara just enter a dummy subject line, e.g. March Madness you are fussing over an un-important point: you cannot avoid traffic analysis unless you toss your smart-phone in the dumpster and ride your bike. +1 -- I am conducting an experiment in the efficacy of PGP/MIME signatures. This message should be signed. If it is not, or the signature does not validate, please let me know how you received this message (direct, or to a list) and the mail software you use. Thanks! signature.asc Description: OpenPGP digital signature ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
Re: [Enigmail] Enigmail Toolbar
When starting a new topic please don't reply to a message on the list and change the subject line. Doing so causes your new topic to show under the previous one for those using mail readers that thread properly, and may cause your message to be missed altogether if someone has blocked that thread. Instead, please save the list address to your address book and then start a completely new message. hope this helps, Doug -- I am conducting an experiment in the efficacy of PGP/MIME signatures. This message should be signed. If it is not, or the signature does not validate, please let me know how you received this message (direct, or to a list) and the mail software you use. Thanks! signature.asc Description: OpenPGP digital signature ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
[Enigmail] Enigmail Toolbar
Olav,-- Thank you for your very thoughtful reply. The point of issue that prompted me to write arose when I attempted to sign a message I had written regarding blank subject lines. As soon as I attempted to sign the message I was warned that my message was being converted to plain text,-- which I did not want. So, I started hunting for the PGP/MIME switch. I found it and set it to use PGP/MIME But let's talk about Aunt Sally: we would not want to present her with that message, either. So we are really between a rock and a hard spot in this.My feeling is that if I'm going to use PGP it is because I expect the recipient is also using PGP. That being the case it makes sense to me to set PGP/MIME as the default -- whenever either\or encryption|signature is selected. I notice for this message I have to re-select the PGP/MIME option. let me know what you think! I think a huge part of our problem these days is to get people to quit fussing over 2-factor authentications and start worrying about digital authentications of documents, generally = On 03/28/2015 01:02 PM, Olav Seyfarth wrote: Hi Mike, there should be 3 selections: Encryption, Signing, and PGP/MIME I disagree. Aunt Sally will ONLY care about encrypt or not. More learned folks may want to change their default signing setting for specific messages. But only nerds care to switch INLINE/MIME. I'm not trying to offend you, just making one point clear: Enigmail must be as usable for anyone. And MOST people will be confused by a INLINE/MIME selection. For the expert/nerd: the Label Enigmail: in that button bar is clickable and you may set INLINE/MIME there. I do agree that this is not good UI design since users are not to expect Labels to be clickable. It's what it is for now. We may come up with a better solution. If Patrick does a INLINE/MIME button, then I urge to hide it per default. Experts may then drag it into their perferred pos. Apart from the UI: The next Enigmail version we set PGP/MIME as default. Olav ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net -- /Mike signature.asc Description: OpenPGP digital signature ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
Re: [Enigmail] Paste passphrase from clipboard into pinentry dialogbox
On 3/28/15 11:57 AM, Daniel Kahn Gillmor wrote: If the only concern is leaving sensitive data in the clipboard after use, maybe pinentry could*accept* pastes, but then also clear the clipboard after it was pasted into? First, this discussion is moot because Werner won't change this. Second, what you're describing isn't safe. Malware that watches the clipboard will still pick up what's pasted onto it, even if it gets cleared immediately after. Finally, someone else already posted the right answer, a tool like Keepass can auto-type the password, bypassing the clipboard. It's also thought to be safe against key loggers, although there is some dispute on that topic. I think that a case can be made for a better plan to be using a password that you can remember, and type. I would also argue that for most people there is no threat model that justifies a password so long that you can't remember or type it. :) Doug -- I am conducting an experiment in the efficacy of PGP/MIME signatures. This message should be signed. If it is not, or the signature does not validate, please let me know how you received this message (direct, or to a list) and the mail software you use. Thanks! signature.asc Description: OpenPGP digital signature ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
Re: [Enigmail] Paste passphrase from clipboard into pinentry dialogbox
[redirecting to gnupg-devel, setting mail-followup-to: there] On Wed 2015-03-25 18:26:38 -0400, Robert J. Hansen wrote: My guess is that this is for added security. Correct. Werner Koch has said several times that he will not change the code to permit CP into the dialog box, as that would leave sensitive data in your clipboard -- and the clipboard, by definition, can be read by any application, including malware. If the only concern is leaving sensitive data in the clipboard after use, maybe pinentry could *accept* pastes, but then also clear the clipboard after it was pasted into? I understand that this still encourages people to put their passphrases into the clipboard, but that seems to be happening anyway. What if, upon accepting a paste, pinentry was to expand the dialog a bit and show a warning that says something like: Pasted! Your clipboard has also been emptied, so that your passphrase isn't exposed to other applications. GnuPG recommends never copying your passphrase to the clipboard. --dkg ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
Re: [Enigmail] Paste passphrase from clipboard into pinentry dialogbox
On 3/28/15 12:30 PM, Daniel Kahn Gillmor wrote: [so much for following up on gpg-devel; i'm replying to enigmail because that's where this message went, even though i don't understand the reason to keep this non-enigmail discussion here] On Sat 2015-03-28 15:09:15 -0400, Doug Barton wrote: Finally, someone else already posted the right answer, a tool like Keepass can auto-type the password, bypassing the clipboard. It's also thought to be safe against key loggers, although there is some dispute on that topic. I quite like the Keepass approach. But it's not clear to me that this will work, at least for the versions of pinentry i've seen that grab the input devices (i'm seeing this on X11, at any rate). In this case, I don't think there is a way to trigger keepass to get it to type into the pinentry dialog. Keepass has a way to specify the target window. But that method only works with certain types of dialogs. I just tried it with the Mac GPG Tools pinentry and it doesn't work. Of course there is no reason that the standard pinentry front ends couldn't be adjusted as needed. What platforms as this approach been tested on? Dunno. :) I think that a case can be made for a better plan to be using a password that you can remember, and type. I would also argue that for most people there is no threat model that justifies a password so long that you can't remember or type it. :) I can sympathize with this sentiment. In general, i think users should keep a very small number of strong passphrases that they can remember and can type, and should use the main one of those passprhases to control a mechanized password store (like keepass) for all the rest of them. I suppose the underlying question is whether you think the user's OpenPGP passphrase is one of these strong passphrases that they should be able to remember, or whether you think it should be delegated to the mechanized password store. Yes, I agree with you in principle, and I do think that the secret key password is one that should be typeable. And FWIW, one of the virtues of a secure key store like Keepass is that you can keep passwords in it whether you want to auto-type them or not. So if you have a strong password for something that you don't type often, you can keep it there to prompt your memory. Doug -- I am conducting an experiment in the efficacy of PGP/MIME signatures. This message should be signed. If it is not, or the signature does not validate, please let me know how you received this message (direct, or to a list) and the mail software you use. Thanks! signature.asc Description: OpenPGP digital signature ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
Re: [Enigmail] Paste passphrase from clipboard into pinentry dialogbox
On 03/28/2015 08:30 PM, Daniel Kahn Gillmor wrote: [so much for following up on gpg-devel; i'm replying to enigmail because that's where this message went, even though i don't understand the reason to keep this non-enigmail discussion here] On Sat 2015-03-28 15:09:15 -0400, Doug Barton wrote: Finally, someone else already posted the right answer, a tool like Keepass can auto-type the password, bypassing the clipboard. It's also thought to be safe against key loggers, although there is some dispute on that topic. I quite like the Keepass approach. But it's not clear to me that this will work, at least for the versions of pinentry i've seen that grab the input devices (i'm seeing this on X11, at any rate). In this case, I don't think there is a way to trigger keepass to get it to type into the pinentry dialog. What platforms as this approach been tested on? Debian Stable, KeePass2, pinentry-gtk-2 and pinentry-qt4 both work, and are both a bit slow (it might take up to 30 seconds !!! for the pinentry dialog to be accepted, but my password is not insanely long, it's in the 20-40 chars range). I tested it with both GnuPG 1.4.x and 2.0.x In fact I use this on a daily basis combined with Enigmail. Sometimes, for reasons beyond my grasp, pinentry complains of a wrong password. When it happens, i restart keepass2 and then it works again. KeePass2 comes with tons of Mono packages and it's a bit sluggish, but I haven't found anything as reliable yet in the limited offer of Debian packaged free software password managers. If the KeePass2-pinentry process was faster, it would be perfect. By the way Daniel, thanks for your GPG best practices page and more generally for your work related to GPG, Riseup and Debian! :-) I often refer to Riseup GPG Best practices during the cryptoparties I organize in Marseille. Here is the link: https://help.riseup.net/en/security/message-security/openpgp/best-practices Jérôme -- OpenPGP / GPG key: 0x14B7E62420E51038 I encrypt emails with GPG, Thunderbird Enigmail. signature.asc Description: OpenPGP digital signature ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
[Enigmail] Subject line warnings
On 03/28/2015 07:21 AM, Ron OHara wrote: Hi, In Thunderbird, you are warned if you send an email with a blank Subject.If the message is to be encrypted, best practice is to NOT have a Subject line. The Subject line is not encrypted and thus 'leaks' information. Any ideas on how to: 1 - suppress the Thunderbird warning if Subject is blank and the mail is encrypted 2 - issue a warning (from Enigmail?) if the Subject is NOT blank, and the mail is encrypted. Regards Ron OHara just enter a dummy subject line, e.g. March Madness you are fussing over an un-important point: you cannot avoid traffic analysis unless you toss your smart-phone in the dumpster and ride your bike. -- /Mike ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
[Enigmail] Subject line warnings
Hi, In Thunderbird, you are warned if you send an email with a blank Subject.If the message is to be encrypted, best practice is to NOT have a Subject line. The Subject line is not encrypted and thus 'leaks' information. Any ideas on how to: 1 - suppress the Thunderbird warning if Subject is blank and the mail is encrypted 2 - issue a warning (from Enigmail?) if the Subject is NOT blank, and the mail is encrypted. Regards Ron OHara -- public identify: https://www.onename.io/ron_ohara ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
[Enigmail] Enigmail Toolbar
I see they revised the Enigmail Toolbar. are they taking lessons from Julie Larson-Green ;) ? anyway, there should be 3 selections: Encryption, Signing, and PGP/MIME.Generally if you are just signing a message or actually encrypting and signing -- you want to use PGP/MIME. I would then put an option on the Toolbar for PGP/MIME and have it switch on automatically if either the Encryption and|or the signing option is selected, allowing the user to manually switch it off -- which would then force plaintext formatting. -- /Mike signature.asc Description: OpenPGP digital signature ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
[Enigmail] Enigmail - gpg-agent - TTL
Hi, using Linux Mint 17 / Thunderbird (24.4.0) / Enigmail 17.2 with gpg2... Once deciphered, Enigmail (or gpg-agent) keeps the passphrase forever in memory although I have a .gnupg/gpg-agent.conf containing: max-cache-ttl 15 default-cache-ttl 15 I'm not sure that gpg-agent.conf is correctly read when Enigmail initiates gpg-agent at the pop-up of the pinentry windows. HUP , killall, ..etc does not help. Should I try to configure gpg-agent manually with gpgconf ? Any ideas ? Thanks BP ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
Re: [Enigmail] Enigmail - gpg-agent - TTL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 28.03.15 15:59, Blaise Pascal wrote: Hi, using Linux Mint 17 / Thunderbird (24.4.0) / Enigmail 17.2 with gpg2... Once deciphered, Enigmail (or gpg-agent) keeps the passphrase forever in memory although I have a .gnupg/gpg-agent.conf containing: max-cache-ttl 15 default-cache-ttl 15 The ttl is in seconds ... 15 seconds seems quite short to me ;-) I'm not sure that gpg-agent.conf is correctly read when Enigmail initiates gpg-agent at the pop-up of the pinentry windows. HUP , killall, ..etc does not help. Should I try to configure gpg-agent manually with gpgconf ? Any ideas ? I wonder if gpg-agent is used at all. Many distributions are set up such that a different tool for caching your passphrase is used (e.g. gnome-keyring). - -Patrick -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJVFtyYAAoJENsRh7ndX2k7zLUP/jvwzeOK0qgkaAdnZVDSk8Jc sbJuQn9JyiDnmT678cWwOuFWMymMXaeSNvhDnRgJ5h+ZQJ7JMrIR/riIfsAAsi5E fP6X8Ju5OkFBf/BiBFZpKd8weoNjBVaxlaamLn7yajSOXxxcbsjE4TcBphZDVyql IPCx3Kt2cn5e+n7PPBb9v/SWDtSPGOD0cYsbnvy0YfVQPUuAjFI+3NJwdfnN0m7i XdU7j/CMypwvbRjGhMKawWbpYQYhmRSmAs8sbCmc1UZlUy+0ypI2YQgpKPDxdpCR Kez4whP9tFsMWIJ8TPojC7IA16OS1+Ola/odIVHrnmoJdAVSG/S7+lfd8SMcOxvt qizSvkc4GemtYxraxP6tv85bPRsVJA6CMiZsDVZiW5xpUoltXULKLaYt+h68om6B QjmSCSsO/ADbCDWWuK8N8XegfJAKGKFdQVSEvk/X5o2FmakRcJesdmJhvdoyyl9w Ecc+WHn9tX7V4yBTTM+tWYo7g/zJ3W3PECQP1tblcyIu0vrjBLvnmBriNLG/QG51 H5qrHXWejvdED/ECzqDHjr0kFEOMWZAD7O5R0kIjW0PyvXXLPElAOJ3g/ExvhWzC VRC6HKEAtaYEvtHPgS5PpPy7W+kEAxIm58KMeDswUI9nzayyZpOfL83yOhwyasmF bFFVzkrjEwXqpLUIlOIG =u7Cs -END PGP SIGNATURE- ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
Re: [Enigmail] Enigmail Toolbar
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi Mike, there should be 3 selections: Encryption, Signing, and PGP/MIME I disagree. Aunt Sally will ONLY care about encrypt or not. More learned folks may want to change their default signing setting for specific messages. But only nerds care to switch INLINE/MIME. I'm not trying to offend you, just making one point clear: Enigmail must be as usable for anyone. And MOST people will be confused by a INLINE/MIME selection. For the expert/nerd: the Label Enigmail: in that button bar is clickable and you may set INLINE/MIME there. I do agree that this is not good UI design since users are not to expect Labels to be clickable. It's what it is for now. We may come up with a better solution. If Patrick does a INLINE/MIME button, then I urge to hide it per default. Experts may then drag it into their perferred pos. Apart from the UI: The next Enigmail version we set PGP/MIME as default. Olav - -- The Enigmail Project - OpenPGP Email Security For Mozilla Applications -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: Dies ist eine elektronische Signatur - http://www.enigmail.net/ iQGcBAEBCAAGBQJVFt6iAAoJEKGX32tq4e9WcCUL/3hrYPoANmkiK+xCsywqrPq2 P5ymokthjUo1eAFJcowfOmiO2VW5JhwqWW2fFWc9a+fzh7sVaYIS4H+8DfgJLWnm RjcLjDIjTrCNeLqjCKHTd/B+kLRR4NF7q05NA0FPnRZIXLCLrGqH1d8PmDco8HYi e3INtJ6CJRrtFYArP000lgLt9CfQiyQXPUv790bgNEzUc5KyRbodnrlbNfHnyeZ7 EbnYGYRz79RIAw595ChWSou3J6wka5nBYWnu/EaVbe5h+GbdweLUlZwJuIl1mWf2 j7lfgsdQQqOMLVJ9fwFXAsWYMarYCAr9ojTikpTHT7CspPvsUDpzyMbKhrGdpmaO cTA70O/rRpIEbZjAwOxM4BSUkPMzYGuJP3s41HBJ9/1S4gJRISH0cw3XT6MjnEED wLuK7GnXwIZl+RTk4RkHQaFqvETjXQzHWID8a3rMhzAA7MRh1HAUVUEyjBGrzsUq HBBLyz4Wn+EILsIoflmAM/k2LjnrAky4YZIMFba3EQ== =iGAb -END PGP SIGNATURE- ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
