10/29/05

Thunderbird, Again

I've written and lectured many times about e-mail security. Sometimes, I discuss securing e-mail systems. I rarely discuss protecting e-mail against modification or eavesdropping, because it seems we just don't care. See what I've written in the past at my Secure E-mail Collection. And recently, I blogged E-mail Security: We Still Don't Bother

I also have written about my love affair with the Eudora e-mail client, but thoughts of moving over to Thunderbird.

But, I like Thunderbird's interface. I like its being free. I like its older brother, Firefox. I recommend moving to Thunderbird to others. I almost moved a while back. But, there were some speed bumps, blogged here. But, recently I decided to slowly give it another try.

So far, things are working smoothly. I've not cut over to using it instead of Eudora, yet. But, I find some interesting security features. Recall, in the aforementioned E-mail Security: We Still Don't Bother, my friend Dave wrote,
I am disappointed that I have to give up PGP but could not reasonably continue to purchase $100-200 worth of email and security software for the purpose of communicating with 9 people. What a sad indictment on the state of email security, huh?
Well, I've got Thunderbird with PGP and S/Mime now. It was fairly straightforward. First, S/MIME: Thunderbird comes with it. I followed the instructions for Getting an S/MIME certificate. I got mine from Thawte. Then I followed those for installing the certificate. And it just worked.

For PGP, I used the Thunderbird Enigmail plugin. But first, I installed GPG (in this case, for Windows), using the installer I found at www.gnupg.org. It installed smoothly.

if you are not going to install existing key rings you can skip the next step.

I then downloaded my secret and private PGP key rings, and used GPG from the command line to read convert them to GPG from PGP. (I did this in the GnuPG folder.) Once I did this, I installed the Enigmail extension to Thunderbird, restarted it and imported the key files using Enigmail's key manager.

If you are new to all this, you'll use Enigmail to create your first key pair and store it.

This will be your decryption and signing key pair. Since I had one already, I needed to fiddle with Thunderbirds configuration file to point to my key. Actually, I had created a keypair, and had a horrible time trying to get it to use my old one. But, finally I figured it out. So, go ahead and generate a new one. Ff you want to use the old one, edit the prefs.js file (in your Thunderbird identity folder), and edit the "mail.identity.id3.pgpkeyId" value to have your key ID. Mine looks like this:
user_pref("mail.identity.id3.pgpkeyId", "0x3521CEA0");

A restart of Thunderbird, and everything is working. If only people actually used encrypted mail...

Okay, I spoke too soon. There are imcompatibilities I cannot figure out between GPG and PGP Personal Privacy 6.5.2 that I run. GnuPG can decrypt and verify a PGP signed and encrypted file. And GnuPG can handle one that GnuPG signs and encrypts. But, PGP cannot decrypt a GPG-encrypted file. I get the error "An error has occurred : encrypted session key is bad". So, what is Mom and Pop supposed to do?

Arrrrg!


I was unclear in explaining how I did some of the above. I used Firefox to get my certificate. Following Mozilla instructions, which say, "If you use Firefox to get your certificate and take the Netscape/Messenger option, a certificate silently installs into Firefox." I got a Netscape/messenger certificate from Thawte. It works fine with Tbird.
I just got a PGP ecrypted message from a Thunderbird/Enigmail user, Jason Wyman. He wrote,
Just wanted to let you know that I have PGP set up with Enigmail in Thunderbird and it is working GREAT for me. I've had a lot of time to fiddle with several different set ups as I've "converted" my friends and clients at work.
With me using PGP Desktop 9.0 and Mail.app on my PowerBook, it decrypted and authenticated great. Thanks, Jason!
Jason wrote back:
I just noticed you updated your blog with an excerpt from my email to you. I was going to suggest that you post this email address along with my PGP key for anyone who may need help.... I'd be happy to help. I believe it's very important that more people begin to take their privacy seriously. This would be an opportunity for me to help others make their own lives a little more secure.
You can contact Jason and get his public PGP key at http://home.comcast.net/~jason.wyman/ or at keyserver http://keyserver.pgp.com/.

No comments: