Created on 21. December 2017, 15:40 | Category: Blog
Dear Posteo users,
dear Thunderbird users and interested parties,
We have a security notice for everyone who uses Thunderbird or the encryption add-on Enigmail.
It is our goal to make popular open-source solutions more secure. Hence, last autumn we entered into a cooperation with Mozilla’s SOS Fund to commission a security audit of Thunderbird with Enigmail. This was the first security audit for Enigmail ever.
The goal of the audit was to identify vulnerabilities in the tested software and to make the software safer consistently. The current audit showed multiple vulnerabilities. The developers of Enigmail have already fixed all the problems that were discovered. Some of the security issues have already been fixed in Thunderbird, as well – but most improvements will only be available with future versions of Thunderbird. In addition to these vulnerabilities, there is a problem within the architecture of the Thunderbird add-on system.
All Thunderbird users with all providers are affected, including Gmail, Outlook.com or Yahoo.
We are asking all Thunderbird and Enigmail users to carefully read our security recommendations in this article. If you follow our security recommendations, you will already communicate more securely.
#more#
24 days, 8 security researchers, 22 vulnerabilities
The thorough audit of Thunderbird and Enigmail in autumn 2017 was conducted by independent security researchers (Cure53). The audit was financed in equal parts by Posteo and the Mozilla SOS Fund. It took 24 days and a team of 8 researchers to carry out the project.
The test covered the fields “Incoming Emails with PGP Signature / PGP Encryption”, “Incoming html Emails”, “Key Generation & Crypto Setup”, “Calendar, RSS and other features with Rich-Text Usage” as well as “Default Settings”.
In total, 22 security relevant vulnerabilities have been discovered, of which 3 were classified as “critical” and 5 as “high”. The developers of Thunderbird and Enigmail were involved in the audit and were informed immediately after the security audit.
The security researchers summarize the conclusions in their report as follows:
“A detailed look at the implementations of both Thunderbird and Enigmail revealed a high prevalence of design flaws, security issues and bugs. (…) In short, secure communications may not be considered possible under the current design and setup of this compound.”
Among the critical issues regarding Enigmail was the fact that it was possible to fake signatures as well as identities. Furthermore, the encrypted communication of users can be intercepted by third parties and could be compromised further on under certain conditions.
The Enigmail developers have already fixed all identified vulnerabilities and provided a new Enigmail version (1.9.9). We would like to thank Enigmail for their work.
However, Enigmail relies on Thunderbird, which will receive many of the improvements only in future versions.
Thunderbird add-on architecture puts your data at risk
This spring, architectural vulnerabilities in Firefox were confirmed as part of a Posteo audit. We then presumed these architectural vulnerabilties could also be found in Thunderbird, which is confirmed by the current audit:
The add-on architecture of Thunderbird allows an attacker to obtain your email communication through compromised add-ons. The add-ons are insufficiently separated and have access to the user content in Thunderbird. This includes end-to-end encrypted communication: Even a user’s private PGP key can fall into the hands of an attacker. Here, even Enigmail cannot improve the situation. It is even possible for an attacker to use compromised Thunderbird add-ons to gain access to parts of your device and your sensitive data.
The report advises caution:
“Assuming that a vulnerable or rogue extension is installed, an attacker acquires multiple ways of getting access to private key material and other sensitive data. (…) Henceforth, users are asked to be aware that extensions in Thunderbird are as powerful as executables, which means that they should be treated with adequate caution and care.”
Firefox has rebuilt the architecture in the current version 57. For Thunderbird it is not foreseeable when the add-on architecture will be changed.
RSS feeds can act as spies
The audit discovered profound security problems in connection with RSS feeds, which are expected to be fixed entirely in Thunderbird version 59. Due to security reasons, the actual attack will not be described in this post. The use of RSS feeds in Thunderbird can endanger and reveal your entire communication and other sensitive data.
Please consider the following security recommendations:
For all Thunderbird users:
- Update Thunderbird to the latest versions as soon as they are available. The new versions will remove several of the vulnerabilities that were revealed in this audit.
- Use Thunderbird preferably without or at least with verified add-ons until the architecture of Thunderbird has been rebuilt.
- Do not use RSS feeds in Thunderbird for now. There are critical security problems threatening your entire communication.
- Do not accidentally install add-ons through phishing, since rogue add-ons can be used to attack you.
If you follow these security recommendations, your communication will be notedly more secure.
For Enigmail users:
- Update Enigmail immediately to the new version 1.9.9. This update removes all vulnerabilities identified in this audit.
- Update Thunderbird to the latest versions as soon as they are available. The new versions will remove several of the vulnerabilities that were revealed in this audit.
- Do not install any other add-on except for Enigmail until the add-on architecture of Thunderbird has been rebuilt.
- Do not use RSS feeds in Thunderbird for now. There are critical security problems threatening your entire communication.
- Do not accidentally install add-ons through phishing, since rogue add-ons can be used to attack you.
If you follow these security recommendations, your communication is notedly more secure.
Audit report to be published after vulnerabilities have been fixed
Due to security considerations we will publish the report after all identified vulnerabilities have been fixed, since the report describes the researchers successful attacks in detail. However, the report was made available to the participating developers, Posteo and Mozilla.
Posteo supports open source software
Posteo supports open source software with transparent code for security reasons. We are convinced that transparent code is essential for the security and democratic control of the internet. At any time, independent experts can identify vulnerabilities and backdoors, making software more secure step-by-step. With intransparent code there is a need to trust each provider’s or developer’s security statements, which are not reviewable by the public. For us, this is not an option.
Open source projects need your support
- Donate to the Thunderbird project to support further development of Thunderbird: https://donate.mozilla.org/en/thunderbird/
- Donate to the Enigmail developers to support further development of Enigmail: https://www.enigmail.net/index.php/en/home/donations
After the audit: what the participants say
Enigmail developer Patrick Brunschwig extends his thanks:
“Enigmail is one of the most widely used tools for OpenPGP email encryption. Yet it took 16(!) years of development until the first security audit was performed. It was more than overdue, and I would like to thank Posteo for taking the initiative and co-financing an audit report together with the Mozilla Foundation. Not very surprising for such an old project, the audit report revealed a number of important issues that were addressed now.”
Mozilla regards the audit as a success:
“Mozilla’s Secure Open Source Fund, a MOSS program, provides code-read security audits for key pieces of open source software. We are very pleased to have been able to collaborate with Posteo to audit one of the main software combinations used for secure email, and are glad that users’ data is safer and more secure as a result.”
Dr. Mario Heiderich from Cure53 hopes for a reopening of the bug bounty program of Thunderbird:
“In closing, once all relevant issues reported here by Cure53 have been fixed, it should be strongly considered to re-establish a bug bounty program for Thunderbird. This approach would help keeping the security level at an acceptable level instead of allowing it to deteriorate and move towards a stale state of datedness.”
Patrik Löhr from Posteo asks for changes in the add-on architecture of Thunderbird:
“We want to make open source software and end-to-end encryption more secure: security audits are the best way to achieve this aim.
It is a success that all discovered vulnerabilities in Enigmail have already been resolved.
The add-on architecture in Thunderbird, on the other hand, requires more work to achieve an up-to-date secure setup. Thunderbird is an essential tool for many people who work with email and communicate with end-to-end encryption. Therefore, the effort pays off.”
Best regards,
The Posteo team