Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

We put together a 40-page document with many screenshots concerning usability issues in Thunderbird security. Who's the right contact at Thunderbird to sent to?

  • 5 replies
  • 1 has this problem
  • 1 view
  • Last reply by Wayne Mery

more options

Dear Thunderbird developers, dear Mozilla Foundation.

I belong to a team of German academics who use Thunderbird under Windows and Linux and we'd like to do so in the future. Nevertheless, there are some things which should be improved. We'd be happy to deliver our findings and afterwards (after you implemented it in a better way) do an exhaustive testing. We can even help with some bachelor theses if you support us in how to integrate the results into the default Thunderbird distribution.

We teach crypto courses for students and pupils. We collected their feedback and documented the issues people have with Thunderbird when performing encryption and signing messages.

How can we upload the 40-page pdf document to share our findings -- the website (https://support.mozilla.org/en-US/questions/new/thunderbird/privacy-and-security) only accepts images?

Our 40-page document contains scenarios (with many screenshots) preventing users from using TB for email security. The document's structure is like this: 1. S/MIME only; 2. S/MIME and Enigmail; 3. Enigmail only. There are things where the wording is just misleading; however, more things are just wrong.

We really hope that this documentation is helpful. Thanks a lot for your response.

Best regards, Bernhard

Dear Thunderbird developers, dear Mozilla Foundation. I belong to a team of German academics who use Thunderbird under Windows and Linux and we'd like to do so in the future. Nevertheless, there are some things which should be improved. We'd be happy to deliver our findings and afterwards (after you implemented it in a better way) do an exhaustive testing. We can even help with some bachelor theses if you support us in how to integrate the results into the default Thunderbird distribution. We teach crypto courses for students and pupils. We collected their feedback and documented the issues people have with Thunderbird when performing encryption and signing messages. How can we upload the 40-page pdf document to share our findings -- the website (https://support.mozilla.org/en-US/questions/new/thunderbird/privacy-and-security) only accepts images? Our 40-page document contains scenarios (with many screenshots) preventing users from using TB for email security. The document's structure is like this: 1. S/MIME only; 2. S/MIME and Enigmail; 3. Enigmail only. There are things where the wording is just misleading; however, more things are just wrong. We really hope that this documentation is helpful. Thanks a lot for your response. Best regards, Bernhard

Chosen solution

One possible path is the following 1. Create a bug create a bug to which you attach the PDF. We'll make that a meta bug 2. You or someone else can make individual bugs out of each discrete issue in the proper product component (in bugzilla we create one bug per one issue), and we'll make each block the meta bug of step 1. 3. We can discuss how to proceed in cases where you have students who can fix bugs, and whether mentors are needed.

It might be a good exercise for members of the team to create the bugs. Note, enigmail is not part of Thunderbird. So where issues involve enigmail code, bugs must be filed against enigmail. Those can also be linked to the meta bug.

If there are things that might be big enough to be a "project, we might also discuss GSOC? See https://wiki.mozilla.org/SummerOfCode#2016 and https://wiki.mozilla.org/Community:SummerOfCode16 and https://developers.google.com/open-source/gsoc/timeline?hl=en We don't yet have ideas listed for 2016. The ideas of 2015 are at https://wiki.mozilla.org/Community:SummerOfCode15#Thunderbird

Read this answer in context 👍 1

All Replies (5)

more options

Bernhard, thanks for reaching out.

Are any issues in your document exploitable security exposures that are not currently in the public domain, and should not be public until they are fixed?

more options
Wayne Mery #answer-835039: Are any issues in your document exploitable security exposures that are not currently in the public domain

The document doesn't contain exploits, but usability issues, which prevent users from further applying email security or let them apply it in an unintended manner.

more options

Chosen Solution

One possible path is the following 1. Create a bug create a bug to which you attach the PDF. We'll make that a meta bug 2. You or someone else can make individual bugs out of each discrete issue in the proper product component (in bugzilla we create one bug per one issue), and we'll make each block the meta bug of step 1. 3. We can discuss how to proceed in cases where you have students who can fix bugs, and whether mentors are needed.

It might be a good exercise for members of the team to create the bugs. Note, enigmail is not part of Thunderbird. So where issues involve enigmail code, bugs must be filed against enigmail. Those can also be linked to the meta bug.

If there are things that might be big enough to be a "project, we might also discuss GSOC? See https://wiki.mozilla.org/SummerOfCode#2016 and https://wiki.mozilla.org/Community:SummerOfCode16 and https://developers.google.com/open-source/gsoc/timeline?hl=en We don't yet have ideas listed for 2016. The ideas of 2015 are at https://wiki.mozilla.org/Community:SummerOfCode15#Thunderbird

more options

1) Creating a bug and attaching the PDF worked well. Thanks.

2) The team I am working with is crypto related, so the main reasons for using TB are stability, multi-platform support, and good support of encryption. We agree "Enigmail" is not part of TB, but its functionality should be, as both standards (S/MIME and PGP) have a similar market share, they both should be supported by TB itself. This could guarantee a consistent way in using these two email encryption standards.

So our request is a built-in PGP support -- and as the Enigmail plugin has a broad user community we think it would be best to contact the author of Enigmail and discuss its integration into Enigmail. Some things there are solved more user friendly than in the current TB GUI for S/MIME.

> 3. We can discuss how to proceed in cases where you have students > who can fix bugs, and whether mentors are needed. Thanks a lot -- I'll get in contact with you if we have an according student.

more options