There is no Enigmail in TB91. In TB91 OpenPGP support is provided natively by Thunderbird using the RNP OpenPGP library.Since TB isn't using GnuPG, it doesn't bother to look at GNUPGHOME.Hope this helps!On Jul 28, 2022 7:47 PM, B00ze/Empire wrote:Good day.
I just updated TB from 60 to 91 and I
> Interesting as it is not showing up for my 68 install. I went to
> addons.thunderbird.net and here is what it shows for 2.2.3
TB 77 is not an officially-supported TB release: there's TB 68, then a
series of intermediate releases meant for testing, then TB 78. At some
point between TB 68 and TB
> I thought there is no further relationship between Enigmail an
> Thunderbrid > 68.x
You're correct, there isn't. However, Patrick has included a migration
tool to help people migrate to the latest TB 78. My guess is that when
he says he wanted to get the release out before TB 78.3, that's
> Will that be available for TB 68 as well or just 78? I just had it check
> for updates and it didn't show any...
68 only. As of TB 78, Enigmail is no longer available.
___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or
> Hello. I have account at the Service Usenet.nl . Could I fond its
> code secret ? What should I do? Please help me.
Enigmail doesn't have anything to do with Usenet. If you're having
trouble with your Usenet account, your best bet is to ask your service
provider. I wish we could be of more
> I want to repeat: you cannot defend against an attacker with physical
> access to your machine. Cannot.
"... with direct access," I meant to say. Apologies.
___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes
>> Point blank: it's all over the moment the bad guy has access to your
>> hardware.
>
> Even if that was true, it should by no means lead to the idea that
> software security is futile.
It is true, and it absolutely leads to the idea that you're spending too
much time on the wrong subject.
> Eventually you'll enter your master password anyway. After that there's
> no other layer of security. All your passwords, certificates and
> PGP-keys lie about in memory. So I'm concerned about memory leaks and
> code injections.
IMO, the vast majority of users worry far too much about these.
My asking was a sort of a joke although still not sure what the purpose
of p≡p based on the following text from the Thunderbird 78 blog:
Given that Enigmail is not p≡p and doesn't work with TB78, perhaps you'd
be best served asking at a mailing list that caters to one or the other?
So then would it legitimate to have a version of Enigmail that continued
to work with TB 78? :)
Won't and can't exist. Please stop asking.
We've given the reasons many, many times. Originally, the Thunderbird
user interface was done using a Mozilla technology called XPCOM.
Mozilla has
> I think this is an American-English idiom misunderstanding. Americans
> use “through” quite consistently to mean “until the end of”, which
> then implies by omission that “until” means “until the beginning of”
> - but such use of “through” is uncommon this side of the Atlantic, so
> an
At least until 2021.
Well no, that's definitely not what I wrote. At least until the end of
2020. And if I will extend support (which is not yet decided), then
*certainly* not for more than 6 additional months.
"Until", not "until and including". :)
You're saying, "from now to December 31,
> since thunderbird 78 doesnt need any enigmail. How long are you going
> to support your thunderbird add-on?
At least until 2021.
___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click
Right-click on your mailbox in the far-left pane. (Not the folder, the
actual email account itself.) Click "Settings". Click "OpenPGP Security".
You'll see a tab widget in the center of the screen with three tabs:
"Message", "Composition", "Autocrypt". Click "Autocrypt".
You're off to the
> In order to help him, I created a new public+private key with Enigmail.
> Although using a key without a passphrase is not recommended, I
> generated one without it. Then I sent an encrypted test email to himself
> using the newly generated public key.
A key without a passphrase is completely
On 2020-01-03 12:43, john doe wrote:
What's the best way to use enigmail with subkey?
Enigmail has precisely zero code that second-guesses GnuPG. We don't
ask for passphrases: we let GnuPG decide when and how to ask for
passphrases. We don't ask you which symmetric cipher or hash to use:
Thanks for pointing that out. So, just for my understanding: Are you
happy - design-wise - with the fact that if the keyring is not
unlocked a user is asked for the GPG key even it is already available
in the keyring?
This is pretty far outside our responsibility. The better question is
what
Using Enigmail for some time now - thanks for your work!
Patrick deserves all the credit; the rest of us just try to help him
with the load of questions. :) Which is hard, given that he usually
beats us to answering them!
As I understand, the GPG key for a specific email address is saved
> In particular I hope, that Mozilla will not follow your example and
> won’t entice users to proprietary isolated keyserver [0]
The Hagrid codebase is not proprietary. It's been fully open sourced
and is developed by the same people behind the open-source SequoiaPGP.
I understand you don't
> Patrick, first of all I'd like to thank you for all the effort you have
> put into Enigmail (and will continue to put into it). Without your
> brilliant work it is clear that Thunderbird would not have been as
> successful as it has been.
Absolutely. Hear, hear. :)
> Whilst OpenPGP support
> I honestly strongly disagree with the idea that a key directory (and
> Hagrid is not more than that) must be decentralized.
As a data point: the PGP Global Directory at keyserver.pgp.com is
centralized, has been well-trusted by the community for twenty years or
more, and nobody really objects
> Would it be possible to add an option to repair all received
> messages? (or to be more tolerant with emails passing through
> office365?)
For many reasons, no. We encourage you to report to MS that their
product is buggy, however.
signature.asc
Description: OpenPGP digital signature
> I'll make sure to only ask email encryption/decryption
> related questions on this email list.
We have some tolerance for going off-topic, but the real problem is
you're unlikely to find good, accurate answers on MIME parsing here.
Enigmail uses a very specific flavor of MIME called PGP/MIME;
I'm using it on TB 60.3.1 without any problems.
signature.asc
Description: OpenPGP digital signature
___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
> I hope to help identifying the problem with the structure ob that mail…
I hate to be unhelpful, but it doesn't appear as if this has any connection to
Enigmail. You might be better off asking in a Thunderbird forum.
signature.asc
Description: OpenPGP digital signature
> So, should I convert to the gpg2 format "/within/ the old GnuPG
> directory" (1) or install gpg2 in parallel to gpg1 (2), as described in
> these two Webpages?
Beats me. Depends on what version of GnuPG you're using. GnuPG made a
big change in how it handles keys between version 2.0 and 2.2.
> Thomas F. Ruddy:
>> I am running GPG version 1 on Linux Mint KDE.
Okay.
>> So when I compare my results via the commandline with those attained
>> through Enigmail, I wonder whether Enigmail will update the trustdb
>> eventually; now I see that:
Not okay.
Enigmail can only use GnuPG 2, not
While at UXForum I was approached by two people who are involved in
training people in the proper use of Enigmail. Two in particular made
good suggestions that I think could be incorporated with very little pain.
A representative from Front Line Defenders said that the subject line
armoring was
Writing just for myself -- not for GnuPG and not for Enigmail and
definitely not for my employer -- I put together a postmortem on Efail.
You may find it worth reading. You may also not. Your mileage will
probably vary. :)
https://medium.com/@cipherpunk/efail-a-postmortem-4bef2cea4c08
> Given that there seems to be one attack that does affect Enigmail, and
> the potential exfiltration pathways listed in the paper, would you
> recommend waiting for these fixes to come out prior to re-enabling
> Enigmail?
I personally think you should re-enable it as soon as is convenient for
https://www.mailpile.is/blog/2018-05-14_PGP_Security_Alert.html
Short version: Mailpile isn't impressed, either, and is a little annoyed
they were mistakenly listed as being vulnerable.
signature.asc
Description: OpenPGP digital signature
___
> By that the interpretation of the message box would not depend solely on
> "reading its content" but simply by "watching the COLOR":
We're not going to make the primary way of conveying information to
users one that will make it useless for people with red-green
colorblindness. We'll
> No matter what the size of your photo is, in Enigmail your photo will be
> reduced to at most 100x120 px. Other applications may choose to display
> larger images though.
Historically, photo IDs were 120x144. I think PGP 8 allowed for 240x288.
signature.asc
Description: OpenPGP digital
> I received this in today's email. Some of the information is correct but
> his main data, the expiry date, is completely incorrect.
>
> Is anyone familiar with this person or this site?
I've run across it before. I have no reason to believe the bot owner is
anything less than sincerely trying
> Will Enigmail support ECC if we install V3.0?
It already does. :)
signature.asc
Description: OpenPGP digital signature
___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
> OK, so I had a senior moment and have forgotten my passphrase. Is there
> ANY way to work around this or change my passphrase ?
There is not. This is a security feature of GnuPG: even if a malicious
hacker were to make a copy of your private key it would be useless to
them without your
> I have just installed your program, but when I recieve an email I have
> this failure and don´t know how to solve:
You've received an encrypted email for which you do not have the
corresponding secret key.
Ask whoever sent the email to re-send it, this time using your correct key.
> Apparently I have done the Cardinal Sin and somehow forgot my passphrase
> in Thunderbird ( the latest version ) and running Win 10 64 bit. Is
> there a work around or resolution for this ?
No.
___
enigmail-users mailing list
> Is it possible to migrate a pgp thunderbird account ?
Yes, although it's much easier if you're using an IMAP mail account.
You will first need to back up your GnuPG directory. If you know how to
do this, great; otherwise, look into a tool like Sherpa. Install GnuPG
on your new laptop, then
> I am using Enigmail 1.8.2, Thunderbird 45.8.0, Win7 Pro, 6 GB Ram, SSD
> Hard Drive.
Please consider upgrading Enigmail -- the current version is 1.9.6.
1.8.2 is quite old and we've fixed a lot of bugs since then.
___
enigmail-users mailing list
My mailserver admin informs me that someone on this list has filed
multiple complaints with Comcast over emails sent by the list. The
emails in question have been unobjectionable. I imagine someone signed
up for this email list, got tired of seeing the traffic, somehow decided
we were spamming,
> One of the programmes I use to scan my machines (Gridinsoft's Gridin
> Anti-Malware) yesterday reported for the first time (I just had updated
> the signature files) an adware infection of GnuPG:
> "A Part of Adware.FPL.ELEX.dd"
It didn't report GnuPG was infected, only that some of GnuPG's
> How can you be so sure my system has not enough entropy? Wouldn't it
> need to be measured first?
When you hear hoofbeats, you look for a horse nearby. It's only after
you conclude there is no horse that you start looking for zebra.
If key generation is taking forever, you think entropy and
> Would it be possible to configure Enigmail to store the decripted mail
> (and provide the original mail as an attachment for instance) ?
We will not implement this on IMAP because we can't, and on POP because
we don't want to accept the responsibility of editing your inbox. A bug
in that code
> Does Enigmail require Microsoft.NET Framework and MSXML?
No.
___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
> Is there another directory which should be included into the default
> PATH on macOS? We can't add private directories (that is for what PATH
> is used for), but adding standard directories would be fine.
Well, the problem we run into is there's so many different places people
install GnuPG
I've packaged Sherpa up into an OS X application. It works when opened
at the command line with "open sherpa.app"; it fails when double-clicked
from Finder. The offender seems to be:
GPGME 2017-01-16 14:14:55 <0x0d3f> gpgme-walk_path: 'gpgconf' not found
in '/usr/bin:/bin:/usr/sbin:/sbin'
Q: What's Sherpa?
A: It helps you migrate GnuPG profiles.
It now only blows up _infrequently_. That means I need brave, intrepid
souls who aren't afraid to frag their hard drives. Bwahahahahahaha!
Windows users are preferred right now (since most Enigmail users are on
Windows). A signed
> indeed you can; available optione on [gpg2]:
>
> --export-secret-keys [ names ], --export-secret-subkeys [ names ]
This is insufficient. He needs to migrate his entire GnuPG profile,
including his gpg.conf and gpg-agent.conf files.
Migrating just the private certificates is insufficient.
> I use Thunderbird with Enigmail for several email accounts on a Linux
> desktop and now I wish to use the same setup on my Linux laptop.
> Can I use/share/import the same private keys somehow?
On the desktop:
$ cd ~
$ tar cJf gnupg-backup.tar.xz .gnupg
Copy gnupg-backup.tar.xz to the new
(Responding to Nico, despite this being the next in thread; Nico's
message hasn't made it to me for some reason)
> But there is no way for me to check the full fingerprint.
Sure there is.
If you know the full fingerprint, use that as your search term for the
keyserver. You're guaranteed to
> I'd love to use Enigmail, but when I try to add it as an addon I get a
message
> saying that it has not been verified. What is the status on getting it
verified?
>
> More info here-
> https://support.mozilla.org/en-US/kb/add-on-signing-in-firefox
Not to ask an impertinent question, but ... why
> Ludwig. Please lookup the definition of "troll". I think this ia a
> troll.
Regardless of whether Mr. Dose genuinely believes it or if he's just
trolling, it's all equally unacceptable. There is no trolling exception
to the rules of civility.
___
> Do the keys Enigmail generates come from elliptic curves, from prime
> factorization, or from discreet logarithms?
They come from GnuPG. GnuPG does the crypto operations -- Enigmail is
just a front-end.
___
enigmail-users mailing list
> At the start of the year, I read that the NSA (which is doing serious
> R in this field) recommended taking post-quantum computing more seriously:
> https://www.schneier.com/blog/archives/2016/02/more_details_on_2.html
Great. Take a look at this line from them:
"Given the level of interest in
> I can see a use case you seem to have neglected.
Not neglected: considered and rejected.
First: Arthur C. Clarke famously observed that advanced technology
cannot be differentiated from magic, and it's true. Just like we refuse
to defend against shamans, psychic intruders, and the restless
> If this turns out to be useful, would you consider supporting it
> alternatively?
Right now, there's no use case for quantum-resistant crypto --
absolutely none. In order for QRC to turn out to be useful, there would
need to be a good reason to use QRC, such as the existence of quantum
> what does this mean???
"Shalom" is a Latinization of the Hebrew word for peace. "Salaam" is a
Latinization of the Arabic word for peace.
> what has religion to do with encryption?
It's not religious, and even if it were, it would still be okay. If we
have any Jesuits on the list who wish to
> Yes, 8192 is non standard but what you link to is not correct for real
> world front end applications
The FAQ entry is correct.
> but 4096 is not too big to be default, if
> it is why do lots modern interface default to larger than 2048?
Because there are a lot of people who demand
> to my knowledge GnuPG only supports up to 4096-bit keys.
This is correct. To use larger keys requires patching GnuPG. And once
you run a custom-patched version of GnuPG, we really can't help you very
much. Once you play with GnuPG internals, all bets are off.
I just received this at my Enigmail address. I'm posting this publicly
because I side with Rudyard Kipling, who wrote:
"And that is called paying the Dane-geld;
But we've proved it again and again,
That if once you have paid him the Dane-geld
You never get rid of the
> Indeed I am! Good old TB24 :-) I'd like to see someone infect me with an
> email on a mailer that doesn't run any scripts; probably not impossible...
Further, the interested reader is referred to Thunderbird's own page on
security exploits.
> Indeed I am! Good old TB24 :-) I'd like to see someone infect me with an
> email on a mailer that doesn't run any scripts; probably not impossible...
Easier than infecting the latest TB. TB24 has a number of known
exploits, and its HTML rendering engine is taken from a version of Gecko
with a
> Or, copy everything and then delete random_seed before trying to use
> GnuPG :)
Works most of the time, not all of the time. Trying to copy a lock file
while GnuPG is using it, for instance, can lead to access violations
("this file is currently in use and cannot be copied" sort of things).
> On the new machine, delete all files in %appdata%\GnuPG _EXCEPT_ these:
> - pubring.gpg - your precious secret keyring. Make sure to have an
> offline copy of it at all times.
> - secring.gpg and trustdb.gpg - your public keyring along with your
> trust settings.
> - gpg.conf and
> Sorry I missed that one. To combine easiness with security, add one
> further step to my guide:
Also, your guide is only good for GnuPG 1.4 and 2.0. 2.1 changes things
a lot.
This is why I made a tool to do things. While it's possible to back
things up by hand, GnuPG doesn't make it easy,
> GnuPG has a habit of putting per-machine files in that directory, things
> like socket file descriptors, lock files, and other such things. Most
> of that is harmless. But some of it, such as random_seed, are files
> that *must not* be shared between PCs.
Someone asked why random_seed must
> On the old PC, open Windows Explorer, type %appdata% into the Location
> line, and Enter. You should be in a directory called "Roaming" now.
> Therein, you should see a directory "Thunderbird" (or "Mozilla
> Thunderbird"?) and another called "gnupg" (or "GnuPG"). Just copy both
> directories to
> cleartext message. "Red alert" is the wrong model UNLESS it is an error
> or threat for a particular user to EVER receive an unsigned cleartext
> message, and that is a tiny, tiny fraction of the Enigmail userbase.
If we get a bad signature, I want a clear warning to be sent up. Bad
> Sorry for answering so slowly. I like the idea very much, but I think
> we could even go a step further, at least for non-advanced users: a
> simple symbol with just 3 colors:
This was, in fact, the proposal I originally pitched at IFF. The
trainers I spoke with were mildly in favor of it, but
> If you're interested in the subject of avionics user interfaces and how
> bad avionics UI literally kills people...
There's also a long, but very good, account of fatal user interface
design at _Vanity Fair_:
http://www.vanityfair.com/news/business/2014/10/air-france-flight-447-crash
> Refreshing a full keyring has the downside that it exposes the entire
> keyring at once to the keyserver.
You know what happens in a modern airplane if an engine catches fire?
The pilot gets a polite and unobtrusive warning message -- a "hey, the
engine's on fire, you should look into this"
> Looks like quite some work though (and icons aren't simple since they
> should fit in different themes).
> Volunteers for coding/drawing/testing?
I had some conversations with organizations at IFF who are willing to
pay money to fund new Enigmail development. I demurred on accepting or
It would be nice if Enigmail could keep track of the last time the
keyring was refreshed -- or, more accurately, the last time Enigmail
refreshed the keyring. Then, every 30 days, Enigmail could prompt the
user for:
"It's been a month since your keyring has been updated.
Would
> Question 1. with PGP/MIME, is the e-mail being encrypted before
> sending, the same as it shows with PGP-Inline ?
Yes.
> Question 2. when receiving e-mail encrypted with PGP/MIME protocol, the
> top bar says it has decrypted. Was it actually encrypted properly by
> the sender. Sender
> 1) Is anyone here using gnupg 2.1.x with Thunderbird and Enigmail
> 1.9.1? And of course do you have any problems?
I am, and no, I'm not having any problems. I was this morning after
doing some testing, but that turned out to be because I'd accidentally
told Enigmail to use a revoked
> While doing some testing on Windows, I seem to have gotten wedged in an
> interesting problem. Enigmail can decrypt messages just fine, but not
> sign/encrypt: attempting to do those causes the send to fail, but
> strangely, nothing useful appears in the logs (attached below).
Problem
icenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: C:/Users/Robert J. Hansen/AppData/Roaming/gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH,
> Enigmail doesn't provide a means to do it, but you may use the command line:
> Start CMD, issue "gpg --edit-key YOUR-UID", select the UIDs you want to
> delete using numbers, e.g. "4", "5" and then the command "deluid".
Note that this only works if you haven't uploaded your certificate to a
> Unfortunately a Gpg4win does not yet support GnuPG 2.1 but iirc Enigmail
> can use 2.1 if you install the plain GnuPG 2.1 installer from gnupg.org.
I can confirm this is the case. Enigmail works pretty well with GnuPG 2.1.
That said, I'd only recommend it to UNIX users or advanced Windows
MIT's Technology Review has a good article on how user error tends to
subvert communications security. It's probably not news to people here,
but it might be worth sharing with your less-technical friends.
> Even in corporate settings?
Especially in corporate settings. Most employees don't like email and
try to avoid it. Most of what enters an employee's corporate inbox is
spam generated by that same corporation: company-wide emails that really
should've been sent to a small group, invitations to
> E-mail remains the primary form of written communication in business,
This depends a lot on your business. I know a fair number of
businesspeople who rely on SMS far more than they do email. Skype for
Business, Lync, and Google Hangouts are also transforming how business
communicates.
> People often add their PGP Key ID or Fingerprint to their email
> signatures. Which is preferable/better to help interested parties find
> your key?
As a general rule, fingerprints. It's possible to use key IDs safely,
but it leaves the door open to a few attacks. It's easiest to close the
> no.it was an effort to make the code less machine dependent .
Which is one of the problems involved in writing Assembly code. C's
original purpose -- as dmr said many times -- was to be an expert system
for generating Assembly code in order to shield programmers from the
problems
> the object was to create a programming language with the assembler's
> ability to locate and access data structures -- but to do so in a
> portable syntax. the portability is where the savings would come
> from.
Yes, and as I've said several times so far, that was one of the critical
To all our users in France, please know that we're with you. There are
no words for such a thing as has happened today in Paris.
___
enigmail-users mailing list
enigmail-users@enigmail.net
To unsubscribe or make changes to your subscription click here:
> C is a tool
Anyone who says "it's just a tool" is someone who has apparently never
heard the phrase, "use the right tool for the job."
C's a tool. Sure. Of course. But that doesn't mean anything. The
question is whether it's the right tool for the job, and whether it's
being used
> Is GnuPG substantively broken?
It depends.
One of the major problems with C and C++ is these languages are almost
perfectly designed to resist static analysis. (You can write
analysis-friendly C++ if you limit yourself to a subset, but the instant
you rely on any Cisms you open a gateway to
> "So why aren't we using GPGME?"
Excellent question, and I'm glad you asked! As it turns out,
Thunderbird has a policy against allowing plugins to use native code
directly. As an example, we had to remove some of our native-code
libraries that we used for Enigmail -- we had to make Enigmail
First, don't panic. I'm asking this kind-of scary question in order to
foster a discussion, *not* because I expect Enigmail will have any kind
of problems. But nothing seems to get a mailing list quite as active as
a little fear for the future. So, take a deep breath, remind yourself
that it'll
> I disagree with this general line of reasoning. It's certainly possible
> to get someone to use an encryption tool without convincing them that
> they want encryption.
I'm going to back Phil up on this one, because I think he's talking
about a specific case rather than the general case.
A friend at Facebook just clued me in to a story at The Register:
http://www.theregister.co.uk/2015/09/24/facebook_crypto_upped/
I know nothing more about this than what's in the page. Figured some
people here might find it interesting, though. :)
> ssl/tls is a mess: they pass out x.509 certificates like fliers at the
> fair and there is no way to tell which are right and which are fake just
> by looking at them.everyone is told "don't worry; be happy; you CA
> has your back"
Sure. But where is this a flaw of TLS? It isn't TLS's
> the flaw is in assigning FULL trust to the CA without the user's
> permission.
Might want to bring this up on GnuPG-Users, then, since a future version
of GnuPG is going to switch from WoT to TOFU, and that's *exactly* what
you're talking about here.
signature.asc
Description: OpenPGP
> That said, wiktionary defines authenticity as:
>
> 1. The quality of being genuine or not corrupted from the original.
Yep, which is why as much as I dislike a five-syllable word it seems to
me (IMO) to be the best option right now.
"Fidelity" would also work and save us a syllable, but it's
> The term "authenticity" usually refers to the provenance of something,
> or to its origin, at least among the english-speakers i talk to.
I already don't like "authenticity", so you'll have an easy time with
this one. I'm not sure "integrity" is a better alternative, though.
>From Google:
> ...but still maintain that there is a functional difference between no
> signature (nothing to see here; move along) and failed or faked
> signature. Either of the latter may need to be investigated. The
> former need not be, unless you were *expecting* a signature and didn't
> get it.
You
> ...but still maintain that there is a functional difference between no
> signature (nothing to see here; move along) and failed or faked
> signature. Either of the latter may need to be investigated. The
> former need not be, unless you were *expecting* a signature and didn't
> get it.
I'd
> authenticate is the right word.
If we were in the Army, I'd agree. I'd also insist we start calling OpenPGP's
cipher feedback mode by its Signal Corps term: it's ciphertext autokey mode,
dammit. :)
___
enigmail-users mailing list
1 - 100 of 186 matches
Mail list logo