[Enigmail] General Opinion and unverified bug
K.Chambers at openmailbox.org
Sun Mar 8 21:05:33 CET 2015
sorry for my late reply.
Since my last post, several other posts came up, to cheer Enigmail or
developers, to tell me, that I'm rude, to tell update films and some
I think many haven't understood my position very well. Since I am
teaching people to use crypto-tools like Enigmail and OTR, it is my keen
interest, that usability friendly, but still secure tools, get
widespride so that we can establish end-to-end cryptography suitable for
the mass. I have already pointed out, that Enigmail is probably the best
mail signing and cryptography (based on OpenPGP) we have, but I have
still many concerns on the usability of Enigmail.
To the people, who cheered on Engimail and the developers: Fine for you.
This is the wrong thread. You should have created and own thread for how
cool Enigmail is. You forget, that there are a lot of non-tech savy who
TOTALLY do not understand how to use Enigmail correctly. Not because
there are dumb, but because of usability issues. I have also seen
computer scientist students, who are using Enigmail wrong, because they
mixed up ownertrust and certifying.
I know that, there were already discussions about the (GnuPG)
terminology of Enigmail. I don't think that an addon, which should
easily provide signing and encrypting mails for the masses, should use
very technical terms, which are coming from a "low-level" tool for
rather tech-savy people like GnuPG. Just use abstractions. The users on
Layer 8 just wants to know, if they can trust an e-mail or not. Or if
they are doing it right or not.
When recieving a signed email there are only four possibilities:
1. the message is manipulated (wrong signature)
2. signed, but not verified (certificate of sender not valid)
3. signed and verified
4. signed, but cannot check signature (missing public key)
In the first case, you can just show a huge red bar, telling the user,
that the message can't be trusted.
In the second case, you can show a yellow (maybe also red) bar and
telling the user, as long as he does not verify the certificate behind
the signature, the message cannot be trusted. I find it helpful, to
tell, what a user can do, to verify a certificate. Tell the user to get
the fingerprint from the communication personally ("securely") and then
signing (you could user another term like authenticating) the
certificate. (make local certifications default, to keep the WoT from
In the third case you can show a green bar and tell everything is fine.
The user has done everything, what he can do.
In the fourth case you can show a grey bar and telling, no information
can be made about the signature and provide at the same time a
download-button to download the certificate from the keyserver.
Some these ideas are more or less realized in Enigmail already. But this
can be better. In the current situation (haven't seen version 1.8), the
user is confronted with terms "correct/incorrect", "good signature",
which are not really understandable by non tech-savy users. I dont't see
any reasons to take terms from GnuPG here.
The coloring is almost as I described except that in case 4 the color is
yellow instead of grey and you have to do more clicks to download the
certificate. I'm just seeing, that Enigmail is using cyan (turquoise)
for the case 2. Why? Isn't it obvious, that this is a case deserve a
warning and therefor are warning color like yellow?
This is just one part, which led me to my "General Opinion" on Enigmail.
These problems are probably so easily fixable to get a better usability.
I don't know if the Usability team of Enigmail meet non tech-savy to
actually realize, that this could probably confusing.
What I also want to mention is, that some usability fails are resulting
from OpenPGP and missing standards, so that the Enigmail developers
can't do much against it.
To John and Robert:
> 1) Always assume the most nefarious user(s) will attack the code. [...]
> When dealing with software touching on issues of privacy, security, or
> encryption, one MUST consider the often vociferous reactions of the tinfoil
> hat crowd.[...]
> I'm not saying shut up. I'm saying read up, ask questions.
> I have lifelong close affiliations with government and law-enforcement.
> For this reason, it is important that I never touch the codebase of anything that people fear might be a target for subversion by the United States government.
> I’d like to add — there are lots of ways to contribute that don’t involve code, and which even “contaminated” people can do.
You both kinda act, that you want to establish high security standards
for Enigmail by talking to assume of most nefearious users and keep bad
people away from the code. This makes not much sense to me. It's even
irrational to me. And I tell you why:
You are almost always talking about code. I think you would agree, that
the security of a tool is not only dependent of the security of the
code, but also dependent of using the the tool correctly. The better a
usability of a tool, the higher the chance to use it right, therefore to
user it secure. A secure-coded tool with failed usability isn't actually
a secure tool. You don't agree with that?
John, you are talking about vociferous reactions of the tinfoil hat
crowd. You want to consider this crowd? Then let me me play this crowd:
"No one of the Enigmail project has really and interest, that some
experts want to look at the code. It may be reasoned, that Robert
shouldn't touch the code, but no one is asking, how to find other
skilled people, which would probably want to look a the code.
The usability of the Enigmail addon lead people to use Enigmail
insecurely. If you install Enigmail and are led by the assistent, you
don't get any warnings on man-in-the-middle attacks. People with no
knowledge are downloading certificates, and can use them WITHOUT ANY
WARNINGS. Probably there are people out there, who think they are
encrypting their email securely, who never signed another key or checked
The usability team consists of some people, like Robert, who "has
lifelong close affiliations with government and law-enforcement". Maybe
he is an NSA-agent with an interest to make the usability of Enigmail
bad. To do this, he doesn't need to do something actively. He just needs
to nothing, as long as people like here in the thread are cheering like
Enigmail is the usability-friendliest tool in the world.
As far as I know, Robert actively defends to stay with the
usability-unfriendly terms of Enigmail in the Enigmail project. If the
Enigmail project wants to establish high standards. People like Robert
shouldn't be in the usability team."
As I mentioned, I "played" the crowd. It doesn't reflect my opinion. It
should only show, how irrational itself it is to take irrational garbage
If we want to decrease irrational garbage comments on security tools
like Enigmail, the only way to do this is to increase the quality
Enigmail in terms of objective measures. I think, I don't have to go far
afield on this topic, since you think I'm not qualified for it.
Last but not least I want to thank Ludwig, who saw concerns and
constructiveness in my posts. That's the case.
(I haven't read my post a second time. Too lazy. Bad language and some
mistaked may be included.)
More information about the enigmail-users