Slashdot Mirror
Enigmail Standard In Mandrake 9.0
AxelTorvalds writes "The Mozilla 1.1 RPMs in Mandrake 9.0 contain the enigmail plugin. It seemlessly encrypts, signs, decrypts and authenticate email with GPG or PGP in the Mozilla Mail client. This is the first major distributor I know of to support enigmail. With this and Evolution and Kmail both supporting GPG and PGP are we at the dawn of that golden age when encrypted email will be commonplace?" Update: 09/15 17:26 GMT by T : Borked link fixed.
This is of course the correct link.
Teenagers these days don't have as much sex as they want each other to think they do.
Excellent, except as I recall, Microsoft Outlook has had this ability since the release of Windows XP... sure it's not GPG and PGP messages, but it's seamless strong encryption. I love mandrake though, and this is a great step. Good work team!
__________________________________________
Take comfort in your ignorance.
Grandmaster Plague
the link is broken
Or would that be "seamlessly"?
With this and Evolution and Kmail both supporting GPG and PGP are we at the dawn of that golden age when encrypted email will be commonplace?
Of course! Because we know that the only thing holding back encrypted e-mail is the fact that Linux didn't have it built in! (rolls eyes)
Of course, the fact that it's extremely difficult (if not impossible) to make it fully automatic for the users has nothing to do with it.
Sometimes it's best to just let stupid people be stupid.
Spam I can't read!
Non impediti ratione cogitationus.
The thing holding up encryption isn't Mandrake, or Linux, or the NSA. It's making it easy for my mom to use when she sends me a hoax chain letter from her AOL account, promising me that Bill Gates is going to send me $500 if I forward it to all my friends too.
Seriously, though, it's the least common denominator. Maybe with the adoption of DNSSEC and SMTP extensions we can eventually have pseudo end-to-end encryption handled by the mail servers themselves. But until the more common email clients perform encryption on their own, no pgp keys to import, etc., don't look for my mom to start using it.
and as a distro is growing at a much faster rate than any other distro in the Galaxy :-)
check http://www.gentoo.org
I have been waiting for effortless encrypted email for years now. About time free and open interoperable email integration has been offered.
Sen:te has put together something that works seamlessly and automaticaly w. OS X's Mail.
But you are right - the lack of Linux (or Mac) support is not what has kept secure email from becoming more wide-spread.
And with the coming of quantum computing as reported in past articles, this golden age, like any, will have a definite ending point
"Hey brother Christian with your high and mighty errand / your actions speak so loud I can't hear a word you're saying"
Don't the slashdot editors even click the links in the article they post?
This is the correct link.
"Oppression and harassment is a small price to pay to live in the land of the free." -- Montgomery Burns.
I'd like to point out that the mozilla 1.1 ebuild in gentoo actually includes enigmail... But yes I know that it is still masked for some reason that's outside of my understanding.
freenode.net #gentoo asked me to do this.
Gentoo was the first, and yes, gentoo IS major.
-- Note: If you don't agree with me, don't bother replying. I won't read it.
Because we are not all paranoid?
What's next? Scrambling your voice over the telephone?
"With this and Evolution and Kmail both supporting GPG and PGP are we at the dawn of that golden age when encrypted email will be commonplace?"
Yes, definitely. With the three most popular e-mail clients in the world (Mozilla Mail, KMail and Evolution) all supporting encryption, I'm sure e-mail encryption will finally be the rule.
"Oppression and harassment is a small price to pay to live in the land of the free." -- Montgomery Burns.
Nope. Not until all the most popular mail clients include functionality to make it ridiculously easy for a nontechnical user to use encryption (including key generation and management), will we see commonplace encrypted email. The inclusion of an extension to mozilla on a linux distribution hardly fulfills this requirement.
Because it's the same as sending an email.
What we need is a way to be able to send mail to anyone without you ISP/whatever to be able to notice. And no, just running an SMTP on your linux box isn't enough.
While it's nice to have encryption support included by default, there are some problems. The biggest of which is that there are still outstanding crashing bugs caused by using enigmail with Mozilla. Since there are several that occur when not directly using enigmail functions, some people might have a poorly working browser and not realize that the bundled enigmail is the cause.
With this and Evolution and Kmail both supporting GPG and PGP are we at the dawn of that golden age when encrypted email will be commonplace?
No. The biggest problem with public key encryption is that you can't use it on multiple computers without some way of transferring the private key. Plus you have to keep a backup of your private key somewhere outside your main computer's location, yet somewhere it will remain secure.
So, ultimately, unless you carry around a CD everywhere you go, you're probably relying on passwords in the end anyway.
Is Enigmail working?
If you celebrate Xmas, befriend me (538
Does anyone really use Mozilla mail? The web browser is great, but the mail client.. ehh..
Mozilla should have the ability to receive all major forms of encrypted mail as standard. (As with other formats, the "player" needs to be more widely distributed than the "authoring" program.) That will help Mozilla's market share.
I'd like to see Mozilla marketed as "the browser for business" - popup blocking, encrypted mail, spam filtering, virus blocking, etc. Contrast this with Microsoft Explorer, which is a home entertainment center whether you like it or not.
seemlessly = seamlessly
http://www.ietf.org/rfc/rfc2440.txt
what clients would actually need to support this for it to become really standard ?
Outlook (express)
Eudora
Lotus Notes
I cant think of any more really can you ?
regards
John Jones
This sounds all wrong but, read this and think about it.
Please, don't use encryption!!!
and easy to use, but perhaps a bigger issue is that the majority of the internet-using, mail-sending world has no concept of certificates and public/private key pairs; really, PKI in general. Still we have to start somewhere, so this is a step in the right direction.
Please, AxelTorvalds was obviously talking about the Linux world. You could also object that he said "the first major distributor" instead of "the first major GNU/Linux distributor". What's the need for a cheap shot ?. How about being a bit nicer to other posters ?.
There are clearly currently 4 major Linux distributions: Red Hat, Debian, Mandrake, SuSE. Even Slack is not anymore a major Linux distribution.
Eh, how precisely is this magical encryption supposed to take place without any key exchange? You might be able to have "secure" email between a mail client and a mail server by using SSL, but the message itself can't be encrypted to a specific recipient without a shared key (or else how would that recipient - and only that recipient - decrypt it?).
The way to make mail encryption prolific is to make key creation, key escrow, and key exchange a simple process. Personally, I think the best way to handle that is to establish a government program for the issuance and authentication of "Internet ID's". Basically, a person applies for an IID by providing verified proof of their identity, then they are issued a smartcard which contains their secret key. To use the card, you need a smartcard reader on your PC (or a cheap aftermarket USB reader). When you want to send a key signed email or decrypt an encrypted email send to you, you insert your card in the reader, and type in your password or PIN.
When someone receives a signed email from you, they don't need to exchange your public key with you, since their software automatically connects to the government key server via the Internet, requests your public key and verifies the signature. Likewise, when they want to send you mail, their mail client searches the federal key database for the recipient's key, and if available, either offers the option to encrypt, or does so automatically (a user-defined option).
Of course, the NSA and the National Security Council will likely poo-poo such a plan, unless of course they are allowed to escrow the secret keys, thus enabling them to decrypt anyone's email. I don't know that this is such a big deal though, since unless you regularly encrypt your email, the government is already reading it.
I'd like to point out to everybody that Mandrake 9.0 has not been released yet. It's been in Beta/RC for 7 weeks now. It looks like it's going to be a great Linux distribution : server features are great and numerous, desktop and the Mandrake Control Center have been totally redesigned and are now extremely slick. As fas as I know it's also the most tested Mandrake release ever.
Thank god they follow the MIME/OpenPGP standard! Now maybe us Sylpheed users will be able to decrypt email from non-Sylpheed users without having to jump through a slew of goddamn copy-to-clipboard hoops.
Email client developers, take note. Please don't reinvent the wheel. It only slows down adoption of encryption.
If you're going to compare a soure-based distro with a binary distro, you probably need to compare with the publicly available beta tree (if there is one).
Enigmail was added to Mozilla-1.0.0 in cooker on 17 July 2002.
The only problem is, I am not totally sure if it's working now (it worked in 1.0.0, it worked in one of the 1.0.1 releases, but it seems broken now, even if using the XPIs from mozdev.org).
It crashes mozilla when reading a signed or encrypted mail for which you have a key. Encryption and signing seem to work fine.
Once encryption is wide spread, you will know something is spam by the fact that it wont be encrypted... Your friends and people you want to email you will have your public key to encrypt...
Im not here now... Im out KILLING pepperoni
``...are we at the dawn of that golden age when encrypted email will be commonplace?''
No, because M$ Outlook [Exress] doesn't have it enabled by default.
Please correct me if I got my facts wrong.
of encrypting your email when every time you check it, you send your password in clear text across the net. This drives me absolutely insane. Why TF do 99% of all ISP's and webhosts still use insecure authentication? Yes if you encrypt all of your emails and if everyone who ever emails you encrypts their's your a step up, but that clear text thing kinda makes it all worthless.
Why has this most glaring of all security problems not been addressed for the general public? Why Why Why Why?
Want hear something funny and typical. My webhost for my business which also does my email, requires SSH to log into my shell account to do things like upload files to changes my website etc. But I have to use the same fricking logon and password to check my email. Does that make any sense at all? I'd out them right now so you would know not to use them but I don't want my website cut off.
O.K. just relax.....I'm on a beach.....
If you wanna get rich, you know that payback is a bitch
hmmm... satire wire tells you not to do something. I have this sneaking suspecion that they were being sarcastic.
The point was that since encryption isnt very wide spread, weather or not an email is encrypted tells you alot... which is bad. While the content is encrypted, the headers are not, which means if someone sees that you are sending encrypted mail, they will know who is sending it and who is receiving it and will become suspecious. This is actually a very good argument for proliferation of encryption, and use of encryption on everday "boreing stuff".
Im not here now... Im out KILLING pepperoni
Enigmail Project Mozdev Site.
I've been using it for a while, and since this is only in Mandrake (AFAIK) I doubt it would make that much difference.
A mate and I tried to setup encrypted email a couple of months back. I use evolution and he uses Pine (I Think). The hardest part was setting up the public/private keys and getting all that working. We had to do that via the command line which 'end users' wouldn't find easy. Once we had done that then it is _really_ easy to use in evolution. Simply create a new email and select 'Security|PGP Encrypt' and its done. In pine the problem was reading the email I sent. my friend had to save the attachment and then decrypt it. However sending encrypted email from pine was easy.
/b
I do agree though that once it is a seamless process from setup to use then it will become more popular.
[Please type your sig here.]
Swedish-Chef Google search on enigmail.
Great news for enig, but what about the other distros? Will this news carry any weight, giving the other offerings a desire to carry enigmail?
What about ximian support?
A week ago I've downloaded the 1.1 mozilla rpm from SuSE's ftp-server. It came with enigmail included as well. So this seems to get a standard part of more distros. This is a good thing.
I just did a fresh emerge of Mozilla 1.1 last night on my Gentoo 1.2 box and it installed Enigmail also, so Mandrake isn't the only distro doing this...
Who wrote this?
How many monkeys does it take to edit a Slashdot
posting, anyway?
Evolution shipped with the last version with PGP support IIRC
-- Who is the bigger fool? The fool or the fool who follows him? --
What's this talk of a golden age? An age where we are all so paranoid that we encrypt our mail routinely? Sounds like a world ruled by fear more than anything. I for one have nothing to hide, and want no part in it.
To the best of my knowledge, PGP looks at a path you specify for the keyring files, now on windows I imagine when you stick the USB keychain disk in, it gets whatever available drive letter it gets. So them you have to go set PGP to look at the right drive.
Under linux I guess it would always mount to the same path, but how does the system know what user inserted the card? Would it mount as UID root? Thats not good. If it's formatted ext2 I guess the UIDs would have to match. But thats weak.
What i'm thinking is PGP (etc) need an API so you can press a button that says "I am going to stick in my keychain with my keyrings on it now", and when the device is detected, the system only allows PGP access to read it, and only to the current user.
Dunno if that makes sense, but the USB keychains are perfect for that sort of thing, cause your private never needs to be readily available unless you're actively using it. And then only breifly. Leaving it sitting in ~/.pgp (or "C:\Documents And Settings\Application Data\Network Associates\PGP") is just uneeded risk.
aohell not intranet EXPENSIVE EXPENSIVE EXPENSIVE trial!!!!!
Oh wait, this is a cypher and not a truth-code.
You can't judge a book by the way it wears its hair.
Everyone knows that email privacy is just another tool for so-called major operating system producers to bitch and fight over. No standard will ever be followed by all parties even when they make perfect sense. Its all a hack!
I use Debian - they have philosophies, standards, protocols and procedures as well as gpg/pgp (which took me about a hour to learn and start using with GPG CLI Program, MIT Keyserver and Sylpheed Mail Client).
When all else fails - Debian prevails!
Pixels keep you awake!
Now they just need to add the Spellchecker.
Of course, the fact that it's extremely difficult (if not impossible) to make it fully automatic for the users has nothing to do with it
Actually, while the setup is still not idiot-proof, actually using gpg in mutt is really, really easy, and works exactly the way I like. I automatically sign everything I send. mutt caches my password in memory so I don't have to type it over and over when sending a quick succession of emails. I automatically verify incoming signed emails, and download their keys if I don't have them from the keyservers automatically. Mutt gives me a status on whether the web of trust includes the key signing a letter. Dunno about encryption, since I can't find anyone else using pgp/gpg with encryption to find out with....
May we never see th
You may like Gentoo, but it sure isn't a major distro.
May we never see th
mozilla-spellchecker is in, and it has been patched to use the myspell-* dictionaries which are included for use with OpenOffice.org
# urpmi mozilla-spellchecker
should prompt you for your choice of dictionary, if you don't have one installed yet.
Great, PGP support is included. Now all they need to figure out is how to package enough clue inside the box so people can properly use it.
The OpenPGP and it's public keyring trust system are very complex and not something most users will ever understand. And there are so many other weak links in the chain that it just turns out to be overkill.
Anyone have ideas on how secure e-mail could be brought to the masses? Because shipping PGP is not it. PGP has been around a long, long time (in Internet years), and if there was demand, it would have taken off already.
The enigmail plugin is a seperate package, and not in the default install (IIRC).
And the only crash I have had with it was when decrypting or verifying an encrypted or signed mail, so I think that's pretty obvious to the user that they should uninstall mozilla-enigmail (which they must have selected, since it's not default).
Of course, the best option would be to ensure that this is fixed.
are we at the dawn of that golden age when encrypted email will be commonplace?
No.
There are still two important pieces missing. Without them the non-geek will not be using encrypted email.
The first is key generation. No matter how simple of a front end you have for it, the user still has to consciously sit down and create a strong key. We all know from experience that the average user will not want to do this.
The second is even more problematic. That's key management. Where is the average user going to store their private keys? On their harddrive or on a floppy disk? And will they be conscientious participants in a web of trust?
So far most proposed methods of automated key management have been detrimental to our privacy (Clipper chip, Passport, etc). But here's one idea: create and market a USB dongle that has a write-once key that is generated during its first use (or the user could initialize it with a preexisting key). Such keys would be automatically signed by the manufacturer. It might not work, but it's something to think about.
A Government Is a Body of People, Usually Notably Ungoverned
Looking at how much you can fit on a USB keychain drive from ThinkGeek, which is 128 megs, a stripped down copy of linux + GPG and a few other utilities, like a basic text editor, and your key(s) should be able to fit on one of those drives. Then all one has to do is boot off the keychain drive and then type their message in their favorite text editor on their personally setup keychained distro of linux and then save the encrypted text onto another device on the computer like a floppy. Then, unplug the keychain drive and boot the computer normally, and simply copy and paste in the encrypted output into whatever email program/site you were going to paste it in. That way, your private key is never really read by any software on the machine. The only thing is that I am not sure if key chain drives are bootable by themselves though. Does anyone know if they are?
Much as I would like to see encryption be commonplace, I think there are harder problems than just getting it built into many mail clients.
First of all, most deployed software is insecure, and most machines are configured badly. If everybody used OpenPGP, then there would be key-stealing Outlook/Word/IE worms.
It is not completely clear that PGP's web of trust system can scale up to a system where most users are naive and many keys are compromised. Will it really cope with being flooded with key signatures that are not properly validated (against photo id, etc), or that were made with compromised keys.
I think these can be overcome, but it requires more than just shelling out to PGP. It will need some really serious thought about how to write a user interface that clearly explains security actions without overwhelming the user. It needs better investment in infrastructure to keep keyservers and revocation lists up to date. Possibly it needs smarter trust metrics that can cope with Joe AOLer's tendency to sign anyone's key when he's asked.
Now that we're getting to the point where encryption is fairly viable (though the infrastructure may be a bit lacking, depending on your view of it), SPAM has a great opportunity to hide itself - by encryption. For example, say your ISP has the greatest ever spam filters installed. If the spammer just uses encryption of any reasonable form (but still gives you a way to see it - maybe sending the key in a different file, posing as someone you should know), they cannot be stopped by any kind of filter, with the exception of explicitly blocking domains and IP addresses/blocks.
It goes both ways.
Just FYI - Gentoo has supported Enigmail for a fair while now - since Mozilla-1.1 came out. The ebuild is masked, but all you have to do is unmask it, type 'emerge mozilla' and in a few hours you have Mozilla-1.1 compiled with Enigmail support.
Sweeeeeeeeeet!
Mini USB storage devices are definitely cool, but this is the kind of thing that smartcards were invented for. Smartcards have a number of major advantages over USB storage, including size (can a USB device fit in your wallet?), durability (can a USB device survive being run over by a truck?), and the often overlooked benefit of number-of-insertions-before-failure of the reader devices (will your USB port still work after 20,000 insertions?).
:-)
The big advantage of mini USB storage devices is capacity. You can get a USB device that holds 128MB, while most smartcards don't hold more than 16KB. That's a big difference, but it's not significant if you only want it to store a few key pairs. Smartcards are also a lot less expensive. The major drawback of smartcards is that, unlike USB, readers are not included on your average motherboard, although they are becoming reasonably inexpensive and are starting to be included on a number of thin client devices.
A big disadvantage of both USB and smartcard solutions for portable cryptography is that you have to trust the host computer you are using to keep your private key secret. Are you sure that the email client on the random computer you are using won't do anything inapropriate with your private key? Are you sure that the OS on that computer won't write your private key out to virtual memory on a hard drive that could be analyzed by an organization you don't trust? This is a problem that crypto-smartcards solve in theory (by using a cryptographic coprocessor on the card and never letting the private key leave the card), but, in practice, they generally only en/decrypt data that are stored on the card itself. They don't typically perform cryptographic functions on larger quantities of data because they are s l o w.
So what is the solution? We either need _really_ smart cards (and readers (and compatible software)attached to every machine we might ever use), or trusted remote systems that we can securely logon to from anywhere (this is actually possible or close to being possible today (if you are willing to overlook keyloggers)), or mini (wearable? implantable?) computers which never leave your person, including i/o devices (like a keyboard and display) and the ability to network with any other system you care about.
(Damn. I thought I was going to make some great points about the advantages of smartcards, but I blew them away too.
Excellent explanation. Mod parent up!!!!
If all / most mail clients were able to store and utilize a variety of private keys then my friends who don't care about encryption could store my key and thus all mail sent to me would be automatically encrypted with my private key.
That would help.
Most important thing to make more people use encryption is to make it so easy for them that it won't be the slightest of an inconvenience.
Enigmail is a great project.
I don't think you get it. The fact is, some people (like me for instance) are not at all bothered by what you describe. I understand what you say, and actually, I don't usually mind copies of my emails sitting on servers all around the world.
Of course, I have nothing against anyone using encryption. I'd use it myself if I felt it was needed for a particular message. But I don't see ubiqitous encryption as a golden age.
If the U.K. govenment starts the monitoring and surveillance of Nationals who have made repeat visits to countries governed by suspect regiemes (Vietnam), or home to significant revolutionary guerilla movements (Peru), you would have no objection?
If -- by extra-legislative intelligence agreements -- they shared this information with unaccountable foriegn agencies in the U.S., Canada and Australia... You'd still be comfortable with that? I'm sorry if I have taken the argument closer to the "paranoia" scenario.
I take your point about "Golden Age" hyperbole. But the issues are farther reaching, by implication, than even most well-informed people are aware of.
"Flyin' in just a sweet place,
Never been known to fail..."
...and I think any law firm that uses e-mail should have its lawyers disbarred for gross incompetence. I do family law, and I can tell you that if the e-mail I would get or send could get people killed. For that reason, although I've been using computers since 1970, I've never had e-mail and never will. If you think about it, e-mail is great as long as you don't mind anyone being able to read yours. I have no secrets, but a lot of my clients do.
Your comments deserve a reply. As it happens, I am a British citizen and I have also been to both Peru and Vietnam - so I suppose that means I might be a target for surveillance... Well, that's fine by me. I have nothing to hide.
I also don't have a problem with government agencies sharing information in order to track down the real crooks. International cooperation is important. The real crooks are probably using strong encryption anyway. At least MI6 and the CIA will be able to eliminate me from their enquiries quickly 8-)
I am glad you are unconcerned by the free traffic of personal and sensitive communications into hands of unintended recipients with indeterminate motives.
I think it naive to view MI6, etc. as "Good Guys" who will accurately use this intelligence to correctly identify "Bad Guys". The historical performance by U.K. and U.S. on these counts is miserable. Sometimes the "Bad Guys" are villagers trying to clean up foreign polluters in Malaysia, or people like Nelson Mandela... I won't try to convince you further on this point. Read, and draw your own conclusions.
Even when the agenda and motive of, say MI6, are not in doubt, do you want to be Mr. Buttle from Brazil?
Oh, and the "Bad Guys" aren't generally using strong encryption. This was one of the Red Herring issues in the pseudo-intelligence speculation after 9/11. Talking Heads from "expert" think-tanks spouted these claims like mad, and started a mini craze on searching for encrypted terror communiques. Never happened. All the communications were plain text and regular phone conversations. The interviewees last week on Al Jazeereh explained clearly how coded phrases were used to pass information on open channels.
What is harmful in your attitude is that you imply there is again something criminally suspect in the casual use of encryption technologies. I refer you to my earlier post in this thread - There is potential criminal and civil liability in NOT employing encryption, when commonly available.
"Flyin' in just a sweet place,
Never been known to fail..."
So, Mr Cornelius. I seem to have underestimated you. It appears that my evil plan to hide my nefarious activities in Peru and Vietnam by publishing the information openly on the internet has badly backfired...
;-)
In all seriousness, I don't see the use of strong encryption as necessarily suspect. I think everyone should make up their own mind on that, based on their view of what they do and don't mind others knowing about themselves. I personally would only bother with it for something that I wanted to keep private. Some things are just too boring to bother keeping private
And yes, I stand corrected on the 11 Sept stuff - now you mention it I do remember hearing that codewords were used instead of encryption.