Security warning for Thunderbird users and Enigmail users: vulnerabilities threaten confidentiality of communication

Created on 21. December 2017, 15:40 | Category: Blog

Dear Posteo users,
dear Thunderbird users and interested parties,

We have a security notice for everyone who uses Thunderbird or the encryption add-on Enigmail.

It is our goal to make popular open-source solutions more secure. Hence, last autumn we entered into a cooperation with Mozilla’s SOS Fund to commission a security audit of Thunderbird with Enigmail. This was the first security audit for Enigmail ever.

The goal of the audit was to identify vulnerabilities in the tested software and to make the software safer consistently. The current audit showed multiple vulnerabilities. The developers of Enigmail have already fixed all the problems that were discovered. Some of the security issues have already been fixed in Thunderbird, as well – but most improvements will only be available with future versions of Thunderbird. In addition to these vulnerabilities, there is a problem within the architecture of the Thunderbird add-on system.

All Thunderbird users with all providers are affected, including Gmail, Outlook.com or Yahoo.

We are asking all Thunderbird and Enigmail users to carefully read our security recommendations in this article. If you follow our security recommendations, you will already communicate more securely.
#more#

24 days, 8 security researchers, 22 vulnerabilities

The thorough audit of Thunderbird and Enigmail in autumn 2017 was conducted by independent security researchers (Cure53). The audit was financed in equal parts by Posteo and the Mozilla SOS Fund. It took 24 days and a team of 8 researchers to carry out the project.
The test covered the fields “Incoming Emails with PGP Signature / PGP Encryption”, “Incoming html Emails”, “Key Generation & Crypto Setup”, “Calendar, RSS and other features with Rich-Text Usage” as well as “Default Settings”.

In total, 22 security relevant vulnerabilities have been discovered, of which 3 were classified as “critical” and 5 as “high”. The developers of Thunderbird and Enigmail were involved in the audit and were informed immediately after the security audit.

The security researchers summarize the conclusions in their report as follows:

“A detailed look at the implementations of both Thunderbird and Enigmail revealed a high prevalence of design flaws, security issues and bugs. (…) In short, secure communications may not be considered possible under the current design and setup of this compound.”

Among the critical issues regarding Enigmail was the fact that it was possible to fake signatures as well as identities. Furthermore, the encrypted communication of users can be intercepted by third parties and could be compromised further on under certain conditions.
The Enigmail developers have already fixed all identified vulnerabilities and provided a new Enigmail version (1.9.9). We would like to thank Enigmail for their work.
However, Enigmail relies on Thunderbird, which will receive many of the improvements only in future versions.

Thunderbird add-on architecture puts your data at risk

This spring, architectural vulnerabilities in Firefox were confirmed as part of a Posteo audit. We then presumed these architectural vulnerabilties could also be found in Thunderbird, which is confirmed by the current audit:

The add-on architecture of Thunderbird allows an attacker to obtain your email communication through compromised add-ons. The add-ons are insufficiently separated and have access to the user content in Thunderbird. This includes end-to-end encrypted communication: Even a user’s private PGP key can fall into the hands of an attacker. Here, even Enigmail cannot improve the situation. It is even possible for an attacker to use compromised Thunderbird add-ons to gain access to parts of your device and your sensitive data.

The report advises caution:

“Assuming that a vulnerable or rogue extension is installed, an attacker acquires multiple ways of getting access to private key material and other sensitive data. (…) Henceforth, users are asked to be aware that extensions in Thunderbird are as powerful as executables, which means that they should be treated with adequate caution and care.”

Firefox has rebuilt the architecture in the current version 57. For Thunderbird it is not foreseeable when the add-on architecture will be changed.

RSS feeds can act as spies

The audit discovered profound security problems in connection with RSS feeds, which are expected to be fixed entirely in Thunderbird version 59. Due to security reasons, the actual attack will not be described in this post. The use of RSS feeds in Thunderbird can endanger and reveal your entire communication and other sensitive data.

Please consider the following security recommendations:

For all Thunderbird users:

  • Update Thunderbird to the latest versions as soon as they are available. The new versions will remove several of the vulnerabilities that were revealed in this audit.
  • Use Thunderbird preferably without or at least with verified add-ons until the architecture of Thunderbird has been rebuilt.
  • Do not use RSS feeds in Thunderbird for now. There are critical security problems threatening your entire communication.
  • Do not accidentally install add-ons through phishing, since rogue add-ons can be used to attack you.

If you follow these security recommendations, your communication will be notedly more secure.

For Enigmail users:

  • Update Enigmail immediately to the new version 1.9.9. This update removes all vulnerabilities identified in this audit.
  • Update Thunderbird to the latest versions as soon as they are available. The new versions will remove several of the vulnerabilities that were revealed in this audit.
  • Do not install any other add-on except for Enigmail until the add-on architecture of Thunderbird has been rebuilt.
  • Do not use RSS feeds in Thunderbird for now. There are critical security problems threatening your entire communication.
  • Do not accidentally install add-ons through phishing, since rogue add-ons can be used to attack you.

If you follow these security recommendations, your communication is notedly more secure.

Audit report to be published after vulnerabilities have been fixed
Due to security considerations we will publish the report after all identified vulnerabilities have been fixed, since the report describes the researchers successful attacks in detail. However, the report was made available to the participating developers, Posteo and Mozilla.

Posteo supports open source software
Posteo supports open source software with transparent code for security reasons. We are convinced that transparent code is essential for the security and democratic control of the internet. At any time, independent experts can identify vulnerabilities and backdoors, making software more secure step-by-step. With intransparent code there is a need to trust each provider’s or developer’s security statements, which are not reviewable by the public. For us, this is not an option.

Open source projects need your support

- Donate to the Thunderbird project to support further development of Thunderbird: https://donate.mozilla.org/en/thunderbird/
- Donate to the Enigmail developers to support further development of Enigmail: https://www.enigmail.net/index.php/en/home/donations

After the audit: what the participants say

Enigmail developer Patrick Brunschwig extends his thanks:

“Enigmail is one of the most widely used tools for OpenPGP email encryption. Yet it took 16(!) years of development until the first security audit was performed. It was more than overdue, and I would like to thank Posteo for taking the initiative and co-financing an audit report together with the Mozilla Foundation. Not very surprising for such an old project, the audit report revealed a number of important issues that were addressed now.”

Mozilla regards the audit as a success:

“Mozilla’s Secure Open Source Fund, a MOSS program, provides code-read security audits for key pieces of open source software. We are very pleased to have been able to collaborate with Posteo to audit one of the main software combinations used for secure email, and are glad that users’ data is safer and more secure as a result.”

Dr. Mario Heiderich from Cure53 hopes for a reopening of the bug bounty program of Thunderbird:

“In closing, once all relevant issues reported here by Cure53 have been fixed, it should be strongly considered to re-establish a bug bounty program for Thunderbird. This approach would help keeping the security level at an acceptable level instead of allowing it to deteriorate and move towards a stale state of datedness.”

Patrik Löhr from Posteo asks for changes in the add-on architecture of Thunderbird:

“We want to make open source software and end-to-end encryption more secure: security audits are the best way to achieve this aim.
It is a success that all discovered vulnerabilities in Enigmail have already been resolved.
The add-on architecture in Thunderbird, on the other hand, requires more work to achieve an up-to-date secure setup. Thunderbird is an essential tool for many people who work with email and communicate with end-to-end encryption. Therefore, the effort pays off.”

Best regards,

The Posteo team

Transparency notice: Our donations for 2016

Created on 14. September 2017, 18:15 | Category: Blog

Dear Posteo users and interested parties,

In the name of transparency we have now updated our donation page, where we document the organisations that we financially supported during the previous year (2016).

It is important to us to encourage social engagement and to take responsibility as a company. We therefore support selected charitable organisations in the areas of environment and climate protection, internet politics and freedom of opinion, as well as refugee aid.

During last year, Posteo donated a total of 29.600,00 EUR. Of this, 28.002,00 EUR constituted voluntary donations by Posteo. The remaining 1.598,00 EUR came from users’ remaining credit. #more#

Compared to the year before we were able to increase our donations by 5,250.00 EUR for 2016.

As per the previous year, recipients of Posteo donations included Reporters Without Borders, UNO-Flüchtlingshilfe, Friends of the Earth Germany (BUND) and Netzpolitik.org.

A new addition is a German Red Cross project in the Amazon, where 1.3 million people are acutely threatened by the increase in extreme weather events due to climate change. The project sees houses set up on raised platforms with secure architecture. In addition, blankets and hygiene kits are distributed and a health service set up. The project sustainably contributes to ensuring the existence of people affected by climate change.

In addition, we support the European Centre for Constitutional and Human Rights (ECCHR) since 2016. The ECCHR lawyers’ aim is to hold state and non-state actors legally accountable for grave human rights abuses. Among others, the ECCHR was founded in 2007 by human rights lawyer Wolfgang Kaleck, who represented whistleblower Edward Snowden in Germany.

Posteo does business sustainably and is independent. Our service is financed by our customers’ account fees alone. There are no investors or advertising partners at Posteo.

You are therefore what makes our engagement possible – you make a difference, for which we thank you very much.

All recipients of Posteo donations can be found on our donations page.

Best regards,

The Posteo team

Help video: How to additionally secure your account with two-factor authentication

Created on 23. August 2017, 16:30 | Category: Blog

Dear Posteo users,

We are often asked whether Posteo accounts can be additionally secured without requiring specific knowledge of computers. One possibility is to use two-factor authentication, which we have offered for some time now.

Two-factor authentication is simple but effective additional protection against unauthorised access. When logging in to the webmail interface, a one-time password is required in addition to the personal password. Two-factor authentication prevents account theft: If criminals or intelligence services capture your access information (username and password), they then have no possibility to access your account settings, change your password and lock you out of your account. Third party access of your account and security settings is effectively prevented.

In our experience, people without special knowledge of IT often do not trust themselves to activate two-factor authentication. Optimal online security is important for all, however. For this reason we have today published a video in which our help section editor Tim Vüllers shows you step-by-step how to set up the additional protection. He also explains how the process fundamentally works as well as demonstrating how he uses it on an everyday basis. In addition, he reveals another security trick – if you do not use Posteo with external email programs (such as Outlook and Thunderbird), you can block access for such programs. Thus two factor authentication additionally protects your emails against unauthorised access.

In future, we will be making additional help videos available. Our videos can be accessibly viewed with subtitles. There are also versions of the video available in English and French.

With two-factor authentication, no additional costs are incurred and you can use it on many different devices (computer, smartphone, tablet, YubiKey).
By the way: Our customer support is happy to provide further personalised help if you have any questions or problems with two-factor authentication. Detailed step-by-step instructions for setup can alternatively also be found in the Posteo help section.

Best regards,

The Posteo team

Update: Petya aimed at destroying data

Created on 27. June 2017, 18:15 | Category: Blog

Update: July 3, 2017, 12:45:

Leading security firms now consider that Petya (also known as “PetrWrap” and “NotPetya”) was aimed at destroying data. Petya apparently disguised itself as ransomware but its aim was not to extort money. Analyses by IT security companies Kaspersky and Comae Technologies show that the malware did not encrypt data on the affected systems but instead deleted it. It appears that Petya overwrites data irreversibly, rendering restoration impossible. For the parties concerned, paying the ransom or contacting the attackers would have been useless.

The Posteo address specified in connection with the attack was immediately blocked by Posteo on Tuesday at midday, before the attack spread. The attackers did not replace the blocked address with another one.

June 27, 2017, 18:15:

Info on the PetrWrap/Petya ransomware: Email account in question already blocked since midday

Midway through today (CEST) we became aware that ransomware blackmailers are currently using a Posteo address as a means of contact. Our anti-abuse team checked this immediately – and blocked the account straight away. There was no press coverage at that time. We do not tolerate the misuse of our platform: The immediate blocking of misused email accounts is the necessary approach by providers in such cases.

During the afternoon it emerged that the “PetrWrap/Petya” malware is currently spreading quickly in many places, including Ukraine.

Here are the facts that we can contribute to “PetrWrap/Petya”:
– Since midday it is no longer possible for the blackmailers to access the email account or send emails.
– Sending emails to the account is no longer possible either.

We are in contact with the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik).

What is ransomware?
“Ransomware” denotes malicious software, which becomes installed on a device, for example, by clicking a bad link or attachment. This primarily occurs when the device is poorly protected – when software installed there has not been updated for an extended time, for example. The malicious software prevents access to data and systems – and the user affected is requested to pay a ransom for the release of their data. Payment often does not lead to the data being released, however.

Best regards,

The Posteo team

New: Posteo migration service now for calendars too

Created on 12. June 2017, 18:00 | Category: Info

Dear Posteo users,

We have extended the Posteo migration service. From now on, you can transfer not only your existing email accounts and address books to Posteo, but also your calendars.

The extended migration service allows calendar transfer from providers such as gmx, web.de, Gmail, Aol or iCloud.

Here’s how it works: You can find the new, extended migration service in the settings of your Posteo account under “My account”. When you undertake a new migration service there, not only the email folders and address book will now be shown to you, but also the calendars from your previous account. With a click of the mouse you can conveniently select which items you wish to transfer to Posteo. You can decide yourself whether to delete the data from your previous provider after the transfer.

Special characteristics of the Posteo migration service:
It is free of charge, you do not require any special technical knowledge for the transfer – and you retain control of your data. We do not use transfer service providers. For this reason, your sensitive emails, address book and calendar data are never transferred over a third-party service at any point. We developed our migration service ourselves, so that it conforms to our high requirements in terms of security and data economy: Your data is collected by us directly from your previous provider and transferred to your Posteo account over encrypted connections.

For reasons of data economy, we also do not save the email addresses from which you have transferred data to your Posteo account, for example.

If you have any questions on transferring your calendar data or the Posteo migration service in general, please feel free to contact Posteo support.

Best regards,

The Posteo team