back to article Encryption? This time it'll be usable, Thunderbird promises

Those who remember trying to configure the Thunderbird of old to work with PGP – an effort akin to learning how to run an Enigma machine while blindfolded – will be watching with interest: the project's coders promise that 2019 will be the year of easy encryption. When the Mozilla Foundation decided to turn the email client …

  1. Tascam Holiday
    Meh

    Better Exchange support would be more welcome

    It's nice that TB is going to get some love after years of neglect, but I'd rather they put some work into native support of EAS or EWS. I know IMAP is available from Exhcange but my last two employers wouldn't enable it.

    There are some add-ons which can help, but they're of variable quality and suffer from frequent abandonment.

    1. HaydnH

      Re: Better Exchange support would be more welcome

      Have you tried davmail as a Thunderbird <-> Exchange gateway? I use it at work to connect thunderbird to EWS and it works surprisingly well. I did have a few issues with mailboxes corrupting and taking an age to recover, but changing Thunderbird to use maildir fixed that.

      1. JimmyPage Silver badge
        Unhappy

        Have you tried davmail as a Thunderbird <-> Exchange gateway?

        Yes.

    2. BlueTemplar

      Re: Better Exchange support would be more welcome

      Aren't those proprietary protocols ? Why would Thunderbird devs want to touch *that* !?

      1. Anonymous Coward
        Anonymous Coward

        @Blue Templar - Re: Better Exchange support would be more welcome

        You're absolutely right! TB devs would love to tackle those protocols but Microsoft IP (license, patents etc.) is a strong deterrent. Just look at Google vs Oracle API saga. MS lawyers would vaporize TB instantly only using left hand's little finger.

        1. Jeremy Allison

          Re: @Blue Templar - Better Exchange support would be more welcome

          Microsoft has now joined OIN. I don't think they are as scary for FLOSS projects anymore as you seem to think (they're certainly no longer any threat to Samba).

  2. This post has been deleted by its author

    1. A.P. Veening Silver badge

      Re: Does it make sense to send encrypted e-mail?

      Correct usage of PGP includes double encryption, once with your private key (decryptable with your public key) to prove you are the sender and once with the public key of the addressee, so only that person can read it.

      The main function of email is messaging without the need for real-time communication.

      1. Cynic_999

        Re: Does it make sense to send encrypted e-mail?

        No, it does not need to be double-encrypted. If impersonation is a factor (and it may not be), then your message is simply *signed* with your private key, not double encrypted. i.e. a hash of the message is encrypted with your private key and appended, not the entire message.

        In some circumstances the recipient will not have your public key, so double-encrypting in the way you suggest would make it impossible to open.

    2. JimmyPage Silver badge
      Stop

      Re: The trouble with PGP is that

      Very few people understand it properly ....

      1. Tom 7

        Re: The trouble with PGP is that

        Agreed. But with 'easy to use' tools things should get better - or at least people should find it easier to send and receive encrypted email etc which I believe is a good thing.

      2. Doctor Syntax Silver badge

        Re: The trouble with PGP is that

        ...it isn't a required part of the protocol that Thunderbird supports.

        Very few people use PGP because very few if any of the people they correspond with us it. That's because those of the people who they correspond with who don't use PGP don't use it because very few if any of the people they correspond with don't use it. That's because... (Recusion: see recursion.)

        What's needed is a Simple Encrypted Mail Transfer Protocol with SMTP being deprecated.

        1. DCFusor

          Re: The trouble with PGP is that

          Well, some friends and I use FloyCrypt for Gmail and while we have no idea if it's any good, crypto-wise, it sure is easy to set up and use....Maybe it makes a little more work for snoops, I have no way to know.

          I use gmail (oh well, slurp) and tbird and frankly, tbird is such a piece of junk with such a horrible UI I only point it at the email addresses I don't really use anymore, to go clean up the inbox by deleting the spam - which it detects about 1/10th as well as gmail, and which requires WAY TOO MANY clicks to delete.

          I sincerely hope they fix this piece of crap, don't get me wrong, but it's going to be a good bit of work by someone who understands work flows...

          And who understands how to make it easy for beginners, while letting power users have the good-trick features all at once. Missing that one, is of course, hardly limited to Tbird....How these fancy UX guys can miss the obvious (but difficult) while fussing about corners and such....participation trophy winners I guess.

          I have met good human factors people - they had PhD's and years of experience in human studies like psychology....eg, not some self-styled "artist designer".

          1. DCFusor

            Re: The trouble with PGP is that

            Obviously some google haters here....or something. 3 downs really?

            I suppose someone's going to tell me they can write encryption code for *any app in a connected computer whatever* that isn't trivially backdoored by some APT or even a kiddie who gets hold of the tools to do some 0 day persistent UEFI or rootkit hack undetectable by you. As if history hasn't proven you wrong time and time again...I get it, it'll be different this time.

            If so, I'm real glad you're not doing my security. If it shows up - ever - in plaintext on a connected machine - then it's NOT safe...if your offline machine hasn't been backdoored in some way as to compromise the USB stick or whatever else you use to move it to the email machine and back.

            If you only want crap security, I hear there's a one liner using ROT13. You could even use it to double-encrypt for extra safety.

            Someone's never read enough Schneier? Or any basic security whatever?

            Or is it someone loves tbird as it is? Wow....

            I'll leave my coat with the bugging device in it....

            1. Anonymous Coward
              Anonymous Coward

              Re: The trouble with PGP is that

              Someone's never read enough Schneier? Or any basic security whatever?

              Or as Clive puts it, extending your security boundary beyond your connected device which is exactly what I do. Any connected device here is automagically considered untrusted.

        2. chroot

          Re: The trouble with PGP is that

          SMTP does server-to-server encryption. PGP and S/MIME do end-to-end encryption.

  3. Anonymous Coward
    Anonymous Coward

    Enigmail was usable

    Back when I still used Tbird...enigmail worked fine. Not that many people used PGP :-(

    1. Christian Berger

      Re: Enigmail was usable

      Yes, but there were still many things that it could have done automatically, like sending your public key with every mail, and signing every outgoing mail by default.

      It shouldn't be to hard to make GPG do the "sensible" things by default, yet enable you to drill into the details if you need to do so.

      1. Anonymous Coward
        Anonymous Coward

        @Christian Berger - Re: Enigmail was usable

        Enigmail IS usable. Unfortunately it takes two extra steps beyond what the brain of a typical Facebook user can cope with.

  4. Anonymous Coward
    Anonymous Coward

    That's nice dear ...

    Sorry, but TB is dead to me after a year of trying to get it to play nicely with Exchange.

    The lack of anything in LinuxLand to even approach Outlook (hardly an award-winning piece of kit to start with) - or even any work on such a project - remains an enigma to me (see what I did there ?)

    If those that have been proclaiming 201x "The Year of the Linux Desktop" need a "killer app" to sell their pitch, Outlook is it. It's been the one constant on every corporate desktop I've worked with since 1998. It's the one thing that unites every user in a company.

    Yes, LibreOffice, yes, this, yes that. But <b?everyone</b> runs Outlook.

    1. Santa from Exeter

      Re: That's nice dear ...

      The only reason "everyone" runs Outlook is because "everyone" uses Exchange. As ever, Microsoft have gone down the lock in route by making it practically impossible to get anything not owned by them to play nicely with Exchange due to closed source (and woeful lack of documentation).

      1. Anonymous Coward
        Anonymous Coward

        Re: The only reason "everyone" runs Outlook is because "everyone" uses Exchange.

        So why no FOSS challenger to that ? Especially as Exchange is hardly Microsofts poster child for quality software either ?

        1. Anonymous Coward
          Anonymous Coward

          Re: The only reason "everyone" runs Outlook is because "everyone" uses Exchange.

          So why no FOSS challenger to that ?

          There may well be one somewhere out there, but treating your questions as "why no successful FOSS challenger to that?", for exactly the same reasons that corporations happily install Windows and Office, in preference to a reasonable Linux and Libre Office setup. Companies are always spending other people's money, so price doesn't matter and they believe all that crap about software being "supported" by paid vendors. Along with the fact that a whole load of business critical software is Windows (or DOS emulation) only. Look at the Munich experience. Munich certainly could have made Linux work, but in the end it was just too much like hard work to replace all the non-Linux software, and rather than persevere they retreated back to the comfortable, safe world of Microsoft.

          1. This post has been deleted by its author

          2. Anonymous Coward
            Anonymous Coward

            Re: The only reason "everyone" runs Outlook is because "everyone" uses Exchange.

            "Safe World of Microsoft"

            So you make a fine point about Safe != Secure ?

          3. Eddy Ito

            Re: The only reason "everyone" runs Outlook is because "everyone" uses Exchange.

            Yes, plus "buying Microsoft" goes in hand with the "nobody ever got fired for" adage.

          4. Pseudonymous Howard

            Re: The only reason "everyone" runs Outlook is because "everyone" uses Exchange.

            The failure of the LiMux project was not due to the "hard work" to create replacements for the Windows-only software. The creation of replacement tools was the main part of the LiMux project, and basically that part was quite successful.

            All the time there was a big pressure from Microsoft and even from parts of the US government to the former mayor Christian Ude.

            The new mayor Dieter Reiter is a fan of Microsoft and supported the move of the German HQ of Microsoft to Munich. After a lot of lobbying, the city council of Munich decided to stop LiMux and start the development of a new Microsoft-based system for the city. When this was decided, the LiMux project was nearly done and nobody knew how much the new Microsoft system would cost.

            At the time of the decision, there was no technical reason to stop LiMux. It was all about lobbying, affiliation and there are even allegations of corruption. Basically it should have been a big scandal, but since not many people really understand what it's all about, it never got any bigger media coverage.

        2. Doctor Syntax Silver badge

          Re: The only reason "everyone" runs Outlook is because "everyone" uses Exchange.

          "Especially as Exchange is hardly Microsofts poster child for quality software"

          When you've achieved lock-in why would you need quality?

        3. Jeremy Allison

          Re: The only reason "everyone" runs Outlook is because "everyone" uses Exchange.

          OpenChange is a FLOSS replacement for Exchange, so the protocols are understood and implementations are available in open source.

          1. Lee D Silver badge

            Re: The only reason "everyone" runs Outlook is because "everyone" uses Exchange.

            "OpenChange is a dormant open source project"

            "OpenChange is a great proof of concept, but it is not ready for production use."

            Nobody's come close to an open-source Exchange compatible replacement, same way that's it's taken DECADES to come up with an open-source AD compatible replacement (and that isn't really something I'd run someone else's business on... maybe my own, knowing what it is, but not something I'd implement for someone else).

            This stuff is hard. It tooks decades to understand and code up things to read video streams from MSN Messenger, etc. and none of them were ever any good.

            Just because it exists, doesn't mean you can make a compatible open-source equivalent. Even LibreOffice "isn't Office" to most power-users. Sure, it's suffices for 99% of people, but for the 1% that want to use it professionally, they can't.

            You seriously overestimate the resources and talent available to code on open-source replacements for proprietary commercial software. Look at WINE, LibreOffice and Samba. It's the three biggest projects that do so, they aren't "there", even if they are usable, and they have more developers and money than almost anything else (you may find web browsers have more money available to them).

            That's why most places don't bother and instead end up with an OS "equivalent" (e.g. other directory protocols, etc.) that they have control over, avoid patents for, don't have stupid legacies to tiptoe around, and they can afford to build and maintain.

            1. Jeremy Allison

              Re: The only reason "everyone" runs Outlook is because "everyone" uses Exchange.

              I'll take Samba, as it's the one I know most about. Samba actually is "there", if by "there" you mean active use in many, many OEM products. It's not "there" as a general out-of-the-box user-installable Windows server replacement, that's probably true, but over the years I think we're realized that's not exactly where we want to be. The argument is "are we a product" or "are we a set of technologies". I personally think we're a set of technologies that other people use to build products, though opinions can differ of course.

              I guarantee there are many many commercial products that you use daily that have Samba embedded in them (many cloud storage gateways as well as on-premises storage for example). So yeah, we're "there" in that respect.

              Wine is becoming the same via Valve investment in Steam on Linux I think. That's their way forward. It's harder for LibreOffice.

              1. katrinab Silver badge

                Re: The only reason "everyone" runs Outlook is because "everyone" uses Exchange.

                “It [Samba] is not "there" as a general out-of-the-box user-installable Windows server replacement”

                In what respect? I can install a working FreeBSD + Samba system in about 10 minutes. Linux, I’m not so familiar with, so it would take me about an hour. Windows takes me about 2 days, and ends up being a lot slower on the same hardware.

                1. Jeremy Allison

                  Re: The only reason "everyone" runs Outlook is because "everyone" uses Exchange.

                  In the respect of there not being samba.org supplied graphical configuration tools or ease-of-use features. We tried that with swat (the Samba web config tool) and it didn't end too well.

                  I'm happy it is easy and works out of the box for you, that's what we aim for :-).

                  1. katrinab Silver badge

                    Re: The only reason "everyone" runs Outlook is because "everyone" uses Exchange.

                    I edit the smb.conf file directly.

                    In Windows, you generally end up having to type various incantations into Powershell to do anything more than the most basic stuff, and editing the smb.conf is a lot easier than that.

                    Also, if you know what you are doing, editing the smb.conf is a lot quicker than clicking around a gui interface.

                    1. Lee D Silver badge

                      Re: The only reason "everyone" runs Outlook is because "everyone" uses Exchange.

                      Samba is used for SMB/CIFS file access. It works. And a lot of devices have it (most is pushing it... most Android tablets would never ship with Samba by default, there are apps to be SMB clients, for example - sure, NAS, media centers maybe, etc. but otherwise no).

                      But that's just one tiny feature - with no authentication whatsoever. That's the "home user accessing the computer that's open to the entire network" feature, not any significant usage of SMB/CIFS that even a basic NAS would implement.

                      Centralised storage relies on authentication. Authentication relies on Active Directory/LDAP/Kerberos integration. In the case of Samba, those things aren't "standard" LDAP/Kerberos, I believe (correct me if I'm wrong, but didn't Samba have to ship with its own implementations? That may have changed now, but the days of things like LikeWise Open etc. it was necessary to install completely different and separate versions to the LDAP/Kerberos software that came as standard on most distros).

                      Samba touts itself as:

                      "the standard Windows interoperability suite of programs for Linux and Unix.... secure, stable and fast file and print services for all clients using the SMB/CIFS protocol... an important component to seamlessly integrate Linux/Unix Servers and Desktops into Active Directory environments. It can function both as a domain controller or as a regular domain member."

                      You're talking about unauthenticated (or trivially authenticated, i.e. local computer logins) access to a share... but the software is claiming to offer an interoperability suite for Linux/Unix machines, as well as AD integration and domain controllership.

                      Additionally, although such SMB/CIFS isn't trivial to implement, it's literally just a tiny and necessary first step to any kind of network integration. It's literally not even enough to log into a network shared drive, for instance, rather than a home shared drive. Samba have had "co-operation" from Microsoft enforced by an EU court, not to mention EU funding, and DECADES of developer time put behind them. And they fulfill one tiny component.

                      Sure, the software gets used a lot for that (basically the equivalent of "smbclient" functionality, as was), but Samba is claiming to be, aiming to be, and has for a long time wanted to be, a lot more than a network filesystem interface. And yet it still can turn into a nightmare to, say, get to \\domain.com\netlogon ... AD auth, DFS, internationalisation, ACLs, etc. all kick in on even the most bare basics of "trying to get your Unix machines to talk to Windows machines".

                      There are no domain admin tools. Not even an "AD Users & Computers" equivalent. We're told to "just use the Windows tools" (I'd actually pay more for a Windows AD management tool set that worked on non-Windows computers, than I would for a software that let me set up a Windows AD running on a non-Windows computer). So you can't run a Windows-style AD using Samba alone, without having to manage users extremely manually.

                      The fact is, 27 years after initial release, 15 years after "Active Directory Support" was listed, it's still not there for anything other than a bog-standard, simple-passworded share - something trivially achievable with TFTP, let alone NFS or similar alternate technologies. But we have "Apple Time Machine Support" and Btrfs-compression!

                      I have created, managed, and decomissioned entire school networks reliant on Samba and projects like Likewise Open (as was, it keeps changing names) - one school we had netbooks that authenticated against the AD via PAM. They "work". If you're prepared to accept a whole bunch of caveats, severely limited functionality and manageability.

                      The reason is that it's incredibly hard to follow the protocol. Even just keeping the barest of "I'd like to access \\server\folder\filename" functionality working, up-to-date and secure takes up a vast chunk of developer time once it involved integrating with a fast-moving proprietary product that has to be reverse-engineered.

                      P.S. There's only one command in Window Powershell that I use with any regularity. The modern equivalent of ntdsutil to promote/demote DCs (I never remember the commands and have to Google them each time, that's how often I use them). Given that I administer Windows networks for a living for the last 20 years, using that as an attack on Windows is really quite weak.

                      Fact is, I can create and permission a user in Windows AD in seconds, including fine-tuned delegation of AD editing rights to the user, and all kinds of settings, group membership, inheritance, etc. It's just not possible in "Samba"... certainly not without an entire swathe of commands typed in on the console - and in a Samba-only environment, I'm not sure it's possible at all (you need AD Users & Computers running from a Windows machine?).

                      What you have is the equivalent of saying "We have Microsoft Office" when what you really have is a command-line tool like antiword that parses a .docx file for text. Sure, that may be "all most people need" but it's certainly not what's been advertised for the last 15-27 years.

                      1. katrinab Silver badge

                        Re: The only reason "everyone" runs Outlook is because "everyone" uses Exchange.

                        I've never used Samba as a domain controller so can't comment on how that works, but authenticating against a domain is definitely doable.

                      2. simkin

                        Re: The only reason "everyone" runs Outlook is because "everyone" uses Exchange.

                        Samba 4+ can run as full AD directory servers or members. Windows administration tools work on them.

                        I wouldn't necessarily recommend it for an SMB, but if you have anyone in ops who actually knows how to run Linux it's quite possible to fully implement an AD server infrastructure using just Samba.

        4. Anonymous Coward
          Anonymous Coward

          "So why no FOSS challenger to that ?"

          Because it's an expensive piece of software to develop without any real return. Heck, in Linux you still get separate software for SMTP and POP/IMAP instead of integrated solution - do you expect they would also integrate all the other functionalities Exchange delivers? Moreover Exchange plays well with Active Directory, so you don't need to manage users and mailboxes separately - and Linux can't still agree on a single, powerful, default identity management system easy to setup and use.

          Last but not least, with the distro and desktop fragmentation, delivering something alike Outlook is quite impossible. Again, it's a complex piece of software with a dedicated UI which requires a not small development effort.

          And one of the few Linux backers until late was IBM - which had all the interest in selling notes....

          It's the same old story, Linux fails to deliver advanced software because there's little interest in investing in it as long as you have to give it away for free.

        5. Anonymous Coward
          Anonymous Coward

          Re: The only reason "everyone" runs Outlook is because "everyone" uses Exchange.

          > So why no FOSS challenger to that ?

          What problem exactly does Exchange solve? Incidentally, I thought it was a 90s thing. I'm surprised that it is still around.

          1. mmccul

            Re: The only reason "everyone" runs Outlook is because "everyone" uses Exchange.

            Exchange is, whether people like to admit it or not, one of the top integrated enterprise calendaring tools available. It supports plugins for various web meeting tools (e.g. BlueJeans, WebEx), and a very effective scheduling tool. It even supports managing conference rooms.

            Forget the email. It's the calendar that keeps Exchange so popular with managers.

    2. Anonymous Coward
      Linux

      Re: That's nice dear ...

      "The lack of anything in LinuxLand to even approach Outlook"

      Evolution EWS has been around for a very long time and is displaying my Exchange mailboxes right now.

      1. Anonymous Coward
        Anonymous Coward

        Re: Evolution EWS

        is pants when it comes to connecting to Outlook365 accounts. Although I grant the shim of GnomeOnlineAccounts might be more the culprit.

        1. BlueTemplar

          Re: Evolution EWS

          Are you sure that isn't Microsoft's fault for not properly using an open standard ?

          1. Doctor Syntax Silver badge

            Re: Evolution EWS

            "Are you sure that isn't Microsoft's fault for not properly using an open standard ?"

            That's not a fault, it's a feature.

        2. ni!

          Re: Evolution EWS

          Works fine for me - i've got 2 O365 accounts and an IMAP one all on evolution. The only real issue is it seems to want me to log in every time for each EWS account for each thing - once for calendar, once for mail, once for oab, once for birthdays, once for bank holidays etc., for both EWS accounts. It woks ok after doing that though

          1. src

            Re: Evolution EWS

            I don't use EWS but I do use Evolution on CentOS 7 with IMAP and Google Calendar. I must say that the reliability of Evolution has much improved with the upgrades it has received during the lifetime of CentOS 7. If you haven't tried it for a while I recommend taking another look.

      2. KSM-AZ

        Re: That's nice dear ...

        Turn on MFA. Watch it break.

    3. Anonymous Coward
      Anonymous Coward

      Re: That's nice dear ...

      Since you're being so fair-minded about it, giving TB a year first, when are you ditching Exchange for not playing nicely with Thunderbird (or just about anything else)?

    4. Ken Hagan Gold badge

      Re: That's nice dear ...

      "But <b?everyone</b> runs Outlook."

      Really? Who the fuck uses Outlook? I haven't touched it in 20 years and I can't recall seeing anyone round the office using it for a long time either. That's not to say that they are using anything better, but any talk of Outlook as some kind of default option for email sounds very odd to my ears.

      Similarly, who uses Exchange, and why? It costs a packet, forces you to use Outlook, and delivers nothing that you can't get from free software. You'll be telling me next that these people use IIS to serve web pages, or something?

      1. Anonymous Coward
        Anonymous Coward

        Re: That's nice dear ...

        Didn't you know? "everyone" uses IIS. duh.

    5. JohnFen

      Re: That's nice dear ...

      "But <b?everyone</b> runs Outlook."

      Not true. TBird's lack of Exchange support has never caused me even the slightest bit of hassle. I'm not arguing that such support wouldn't be worthwhile to some users, but I am arguing that the notion that everyone runs Outlook/Exchange is objectively incorrect.

      1. KSM-AZ
        Holmes

        Exchange connectors

        As long as you are not doing MFA, davmail will convert O365 to imap/smtp/davical/carddav/ldap. Calendars not so great, the rest of the stuff is pretty good. Our MFA has an on-net exemption, to I just fire up a vpn connection and use davical. I am using thunderbird. On balance it's currently best in breed for my use. A bit high on the knob turning, but enigmail works well, and lightning is barely tolerable. the stalls from Evolution drove me nuts. I handle several hundred messages a day. Back in the day mail filtering was done by a '.forward' file in your home folder, and then processed by your MTA as got dropped in your maildir (or . . .). Again exchange integrated and hid all this in a standalone server. Good design choice, woeful implementation.

        The 'exchange calendars' plugin for TB is very good. except. No MFA, and it goes berzerk if I'm online but not on VPN. Considering a TB container with a full time VPN tunnel X'd to the not-wayland local display. Arf, arf.`

    6. KSM-AZ

      Re: That's nice dear ...

      The nice thing is how well outlook runs with exchange. Well most of the time. Maybe. Unless you have a Samsung phone. Or how well 'modern' auth works. You know 2FA with O365 is so . . . Uh, er, stable...ish. And how the native clients work so well with 'modern' auth. If I hear one more MS flunky talk to me about 'Modern Auth, and how you can't have security without it, I'm going to shove my phone down his or her throat.

      Frankly none of the mail clients on the planet today are worth a sh*t. Evolution? T-Bird? I used to like the integrated opera mail client, but It died with the old rendering engine. And good ole MS. They've had what? 6 or 7 different 'standards' for communicating with exchange. I believe we are going back to MSA or whatever it was because OWA doesn't support ... wait for it .. 'Modern Auth'.

      The calendar integrations for the various non-ms cruft, ical, davical, whatever-you-cal lit. They are either implemented poorly or broken, I don't know which.

      And now that my company O365 password is changed, my win10 native mail client won't talk any more either. ADFS is an abortion. If someone comes up with something better that works, I'm all in, but I'm still confused as to why one could not trivially extend IMAP/POP/Whatever to create a 2nd factor or token.

      My biggest gripe has always been around separating SMTP. I wrote a pop3 daemon years ago that would allow the XMIT extension supported on several text mail clients. Eudora comes to mind. This was always the big win with Exchange, simpler to connect, and tied into your directory service. IMAP has extensions for this as well, but I never really understood why one would complicate the interaction so much over pop3.

      I could fairly trivially hack my pop3 daemon to handle tokenized and/or MFA as well, so frankly I just don't get why nobody ever supported stuff like this in a client.

    7. Anonymous Coward
      Anonymous Coward

      Re: That's nice dear ...

      > Sorry, but TB is dead to me after a year of trying to get it to play nicely with Exchange

      Sorry, but Exchange is dead to me after two minutes of trying to configure the sorry shit on an email client.

    8. mmccul

      Re: That's nice dear ...

      I tried Outlook. It failed the Google Calendar test, unable to display all the calendars shared with me. Thunderbird was the first client on Windows that could work with Exchange, Google, and local calendars. (On macOS, the native calendar worked).

      For me, the killer app was calendar, not email. I have to be able to display all my calendars (and those of family members that are delegated to me) in one integrated view. Talking to a few of my peers, they ended up using their mobile phones for such, but given the "we own any android/iOS device that connects to our calendar" trends, that's not very attractive to me.

  5. Anonymous Coward
    Anonymous Coward

    The current eight personnel are to be expanded to 14

    omg

    1. bombastic bob Silver badge
      Meh

      Re: The current eight personnel are to be expanded to 14

      I smell an excessive corporate influence, resulting in what happened with Firefox:

      a) 2D FLATSO FLATTY McFLATFACE FLUGLY-ness with HAMBURGER MENU

      b) no more UI tweeks

      c) removal of whatever customization is left, with limited 'theme' options

      Yes, two companies currently do this, Google and Micro-shaft, and i don't use Chrome on the desktop because of it, and 52-ESR Firefox is still working for me... but may deserve a fork, soon.

      I hope I don't have to do this with T-bird to avoid the FLATSO and the HAMBURGER MENU.

      But that's the trend of ARROGANT developers who *FEEL* like WE want what THEY "Feel". And removal of choice to FORCE it.

  6. Whitter
    Meh

    Press release?

    Or a mini-interview that was essentially a press release?

  7. Anonymous Coward
    Anonymous Coward

    The UI is basically fine and mild tweaks only needed, Mozilla do not do a Microsoft on it and turn it into a complete cluster fuck like Skype or their other offerings.

  8. Anonymous Coward
    Anonymous Coward

    How To Do Encryption IN THE REAL WORLD

    Use Office Encryption. Already built-in to major Office packages.

    Use PDF Encryption. Also built-in to many PDF generators.

    Use ZIP encryption. Built into any real Zipper.

    Use keys such as PaperPhoneWileyLikely. Transmit via phone call. If that is not secure enough, send a letter.

    GNUpg or PGP is way too complicated and almost nobody will remember how to do it after a few weeks.

    1. Anonymous Coward
      Anonymous Coward

      Re: How To Do Encryption IN THE REAL WORLD

      Some of those are suspected to be back doored or weak

      If you go to the bother of encrypting, it should work

      1. Anonymous Coward
        Anonymous Coward

        Re: How To Do Encryption IN THE REAL WORLD

        Any references ?

        Afaik, the major "weakness" is due to weak keys (they are NOT passwords) from users. But that is not the fault of the cipher itself.

        1. BlueTemplar

          Re: How To Do Encryption IN THE REAL WORLD

          AFAIK Office (and AdobePDF) are closed-source software, so you can't be sure there are no weaknesses/backdoors. And considering the last decade, you should assume that there *are*.

    2. Anonymous Coward
      Anonymous Coward

      Re: How To Do Encryption IN THE REAL WORLD

      Proof positive that the NSA and GCHQ are reading/posting on El Reg...#worstsuggestionsever

      1. Anonymous Coward
        Anonymous Coward

        Re: How To Do Encryption IN THE REAL WORLD

        Yeah sure. Fasten your tinfoil hat.

    3. entfe001
      Windows

      Re: How To Do Encryption IN THE REAL WORLD

      Does any of those support asymmetric encryption? You know, to avoid the hassle of secret pre-arranging and password sharing

      1. This post has been deleted by its author

      2. Anonymous Coward
        Anonymous Coward

        Re: How To Do Encryption IN THE REAL WORLD

        Normal people won't cope with asymmetric ciphers. But they understand the concept of key sharing.

        And, if your opponent is your *own* sigint agency, you have serious other problems.

        1. Cynic_999

          Re: How To Do Encryption IN THE REAL WORLD

          "

          Normal people won't cope with asymmetric ciphers.

          "

          Normal people would not be able to cope with SMTP headers or MIME encoding/decoding either.

          Fortunately the mail applications make such things completely transparent so the user does not need to have the slightest idea of how they work (or even that they exist at all).

          Just as could be done with asymmetric encryption such as PGP. OTOH on the occasions I've needed to do so, I've found that a "normal" (i.e. non-technical) person was able to cope with the likes of Kleopatra perfectly fine. Even lawyers were able to use PGP after a little coaxing (e.g. "I'll be hiring someone else if you are unwilling to encrypt our communications.") ...

        2. Steve Knox
          Holmes

          Re: How To Do Encryption IN THE REAL WORLD

          Normal people won't cope with asymmetric ciphers. But they understand the concept of key sharing.

          You don't spend much time with normal people, do you? Normal people don't really get the concept of encryption keys, period, let alone key sharing. It's not because they're incapable, mind. It's because they couldn't give a flying fuck.

          Encryption, for normal people, is stuff the techies are supposed to sort out.

    4. Anonymous Coward
      Anonymous Coward

      @AC - Re: How To Do Encryption IN THE REAL WORLD

      ZIP file encryption ? Watch what you're wishing for, son! How would you like to manage/distribute one encryption key for each partner you're trying to communicate with. PKI and asymmetric encryption is there for a reason that you're obviously missing.

      1. Persona Silver badge

        Re: @AC - How To Do Encryption IN THE REAL WORLD

        PKI was invented to distribute symetric encryption keys over an insecure channel. The problem with PKI's is that everyone needs to use the same one (though bridging is possible). Both national governments and financial instututions wisely see no net benefit to prioviding large scale PKI's, so they are fragmented. You also need to trust the PKI to correctly distribute the public key. It gets really messy when you start factoring in key expiry and revocation and people forgetting their private key. These complications have limited it to small scale deployment, and this hasn't improved in the last 20 years.

        1. TrumpSlurp the Troll
          Windows

          Re: @AC - How To Do Encryption IN THE REAL WORLD

          Public keys are asymmetric.

          Asymmetric encryption and decryption is inefficient, and is generally only used for signing and for encryption/decryption of symmetric keys which are used for bulk encryption.

          PKI the clue is in the name. Public Key Infrastructure. Hence asymmetric key distribution.

    5. JohnFen

      Re: How To Do Encryption IN THE REAL WORLD

      PDF and ZIP encryption are both readily breakable.

    6. KSM-AZ
      IT Angle

      Re: How To Do Encryption IN THE REAL WORLD

      I reply to this because,... If you want to do ANY one-way key crypto, it's just not trivial. My pubkeys are registered, I copied my .gnupg folder onto the box fired up TB installed enigmail, checked the sign all mail box, and off I went. There is another box to 'encrypt by magic' for folks in your keyring.

      Seahorse is reasonably intuitive to set up a fresh set of keys, or add pubkeys of people you know. And enigmail will happily add any .gpg/.pgp pubkeys if you let it and confirm.

      I've tried to explain 1-way crypto to the unwashed masses several times. They don't get it. Neither did the IBM salesman understand 'Blockchain' tech he was trying to sell me. But he sure did want me to buy it for a lot of 'bitcoin' ;)

  9. DrXym

    PGP is better than the alternative

    In the early days of Outlook / Netscape Navigator, they adopted S/MIME for encrypting messages.

    Sadly this doomed encryption almost from the very beginning because:

    1. The user interfaces for using encryption were awful, barely afterthoughts

    2. S/MIME uses certificates with rsa asymmetric encryption and it was SLOW

    3. Obtaining a new cert/key was a massive pain in the arse and usually involved paying money. A tax on security.

    4. Keys expired every year, compounding the pain.

    So it was a garbage implementation of a garbage crypto mechanism.

    By contrast most PGP extensions to email apps were relatively sane by comparison - create a key for free, use it as long as you like, add other people to your web of trust. It all fits relatively naturally with email but as extensions the experience never felt fully integrated (despite being easier than the built-in crypto) so few people bothered. And using crypto always felt like standing above the parapets - you must be up to something to be using crypto rather than it being the default for everyone.

    And these days with webmail, any chance for secure encryption by default is long gone. Even if the transit of email is secured, even if the viewing of the email is secured, the actual email itself isn't. Google (for example) can and do read emails, ostensibly for beign reasons, e.g. so they can remind you about your upcoming flight or whatnot, but who knows what else they do or who else they allow to see it.

    1. Anonymous Coward
      Anonymous Coward

      Re: PGP is better than the alternative

      Still way too complicated for the average business guy. See my post reg. Office encryption above.

    2. Anonymous Coward
      Anonymous Coward

      @DrXym - Re: PGP is better than the alternative

      Sorry to pierce your bubble but Mailvelope works like a charm with Gmail, Yahoo mail and other. The encryption is done on your PC and Google happily handles an encrypted blob.

    3. chroot

      Re: PGP is better than the alternative

      We use S/MIME in our company and it is extremely easy to use, once set up.

      1. Anonymous Coward
        Anonymous Coward

        "We use S/MIME in our company and it is extremely easy to use, once set up."

        Using it inside a company is far easier - especially if you have a directory service storing user certificates and connected to the mail system - the problem of all these systems is to use them among companies and external users.

    4. Anonymous Coward
      Anonymous Coward

      "S/MIME uses certificates with rsa asymmetric encryption and it was SLOW"

      "1. The user interfaces for using encryption were awful, barely afterthoughts"

      Are you talking about PGP? Because to use S/MIME you usually just set the "encrypted" flag in many clients - setting it up may be another issue.

      "2. S/MIME uses certificates with rsa asymmetric encryption and it was SLOW"

      No. Most implementation uses 3DES. They use RSA certificates for signing and to protect the symmetric key. AFAIK, recent versions of Outlook can use AES256, but it needs support on both sides.

      "3. Obtaining a new cert/key was a massive pain in the arse and usually involved paying money. A tax on security."

      If you need a "public" certificate, yes. You can setup your PKI system and it will work alike PGP - you'll have no "built-in" trust, so you'll need to trust each certificate or the CA issuing them.

      "4. Keys expired every year, compounding the pain."

      That's a _good thing_, especially if you don't have published CRLs or any other way to know when a key is no longer valid You don't want someone being able to use your company keys when he/she no longer works for you. Expiration puts an automatic limit on it. A good PKI system is able to renew the keys for active users automatically.

      "add other people to your web of trust"

      That's good for your personal email - in many business situations you don't want "personal" web of trusts.

      "Google (for example) can and do read emails"

      If they're encrypted end-to-end, even Google can't read them unless you give it your keys... S/MIME is not SMTP with TLS.

  10. AndrueC Silver badge
    Thumb Up

    I moved back to it from TheBat! a few weeks ago and must say I'm impressed. Or at least very satisfied. I forget why I moved away previously but so far Thunderbird is doing everything I need it to. Its IMAP support is a lot better than TheBat!'s in that it actually works and works well. No random connection drops, no random inability to download message content and TB is happy to work with large folders like Trash - I was beginning to think a couple of my archive folders had got corrupt but no, a decent email client shows the contents to still be there and fully accessible. The Thunderbird UI is a little odd but it didn't take long to get to grips with it and it's snappy enough.

    Another example of open source software being better than a commercial rival. I'm off to make a donation :)

    1. AndrueC Silver badge
      Thumb Up

      I found out why I changed. I use a DEA system for email so I need to be able to change the From: address to anything when creating an email and I need the mail client to be able to set the From: address from the To: field when replying to an email. Out of the box TB can only do this by requiring the user to manage multiple identities which is a bit tedious. Creating the first email for a contact means first creating an identity for them and over time you'd end up with a lot of identities in the list.

      Thankfully there's now a TB add-on called 'Virtual ID' which looks like it can do exactly that. That's actually more elegant than the previous client which required me to write a slightly complicated script.

  11. myhandler

    Thunderbird search stinks to high heaven and beyond.

    Search for 'weds' and you will get weddings as well as some Wednesdays .

    Stemming search I think they call it - but it can't be switched off. ASININE BEYOND BELIEF.

    Filterng the results of search also stinks:

    The list of recipients updates if you filter by year - but if you filter with "not involving this person" - any other people who only appear under that inital user you've filteredd out are still shown in the list, so you have to remove dozens to get a reasonalble list of possibles. It's pathetic.

    But yeah a new fancy UX is more important - not.

    I bet it looks like a bloody app next year.

    1. JohnFen

      "Thunderbird search stinks to high heaven and beyond."

      This is 100% true.

    2. Fred Goldstein

      I agree. I use TB but almost never use its search. I do however make frequent use of Quick Filter. An add-on called Expression Search enhances it so I can type, for instance, "s:bananas" or "f:register", more flexibly than the regular TB options. It's nowhere near as good as the X1 Search in the old Eudora Pro but it's still pretty useful.

      The standard search is only useful when looking for a really obscure string. So it might help for finding "phlegmatics" if I know that occurred in one old email but I can't recall where or when. But otherwise it's pretty useless.

  12. Florida1920

    FossaMail

    Some time ago, someone at TBird decided the name of some field had to be changed. It looked like rearranging the deck chairs, so I switched to FossaMail. The cat-like carnivore was abandoned, but it still works for my minimal email and RSS requirements. Being abandoned, at least I don't have to worry about an update that changes something that didn't need to be changed.

  13. Doctor Syntax Silver badge

    "Thunderbird's look ... will be supported by a dedicated UX staffer."

    There goes the neighbourhood.

  14. Doctor Syntax Silver badge

    "When the Mozilla Foundation decided to turn the email client loose in May 2017, its future looked doubtful, but it's still here"

    There was strong support for the Document Foundation taking it over. I wonder if a serious rival was what made Mozilla change its mind.

  15. JohnFen

    Dear TBird team

    Please don't screw it up! After seeing the changes to Firefox, I'm very very nervous.

    1. Rasslin ' in the mud

      Re: Dear TBird team

      If by "screw it up" you mean changing the perfectly good and traditional names of folders like "Trash" to "Deleted," you're too late.

      1. David Pearce

        Re: Dear TBird team

        No, by becoming bloated and trying to push things into "the cloud" like passwords.

      2. wsmwk

        Re: Dear TBird team

        "Trash" is the default naming in Thunderbird. If you are seeing the name "Deleted", it's because your ISP has decided that's what the trash folder should be named.

  16. Anonymous Coward
    Anonymous Coward

    This is why I am NOT donating to Thunderbird, sadly

    From the donations page:

    "Contributions go to the Mozilla Foundation, a 501(c)(3) organisation based in Mountain View, California, to support Thunderbird. Mozilla reserves the right to find another use for the funds if it determines that Thunderbird is no longer furthering Mozilla’s mission"

    No, sweetheart. If Thunderbird "is no longer furthering" your mission, then you give the money to the devs working on Thunderbird or refund it. If it is no longer part of Mozillla, why the fuck are they taking the donations at all?

  17. Anonymous Coward
    Anonymous Coward

    No no no no no no no no no!

    Dear Mozilla,

    No. Please god no. Not thunderbird. Please.

    I know, it's slipped under your radar for years and so you've forgotten to turn it into complete dogshit. I know, you love turning functional, flexible software into complete dogshit with horrible flat UIs, hamburger menus, and no customisation. But I actually need to use thunderbird. And I need to use a bunch of my thunderbird extensions like lightning, cardbook, and enigmail (which, by the way, already does what you say you're going to do).

    "Thunderbird's look – the subject of a design consultation last year – will be supported by a dedicated UX staffer."

    Oh god no. Not a dedicated UX staffer. Does he have pointy hair? Does he use a mac? Was be born this century? I bet he was. And he's going to turn my perfectly functional and flexible UI that I've been using since before he was born into a clusterfuck that makes everything more difficult while simultaneously having less functionality. Impressively, it'll somehow manage to do this while also looking fucking stupid, using up more screen real estate, and running slower. But I guess on the positive side I'll get a whole slew of new emojis, and the existing ones will be redesigned. So there's that.

    I predict an "sudo apt-mark hold thunderbird" in my future. And shortly after that, a switch to a fork of the last sensible version.

    Please, Mozilla, just abandon thunderbird and let the community take care of it. I'd rather have nobody maintaining it than have mozilla do what mozilla does.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like