• Members 8 posts
    Dec. 17, 2020, 6:20 p.m.

    Thanks for making this software.  I already have PGP keys, which I migrated from Enigmail to OpenPGP. I run Thunderbird on my MacBook running MacOS 10.15.7. I also use the p=p Android client.

    I am experiencing some issues:

    I use two Thunderbird profiles but only one shows the p=p addon.

    Every few minutes (presumably when Thunderbird syncs with the server), there is a rapid succession of emails with subject “p≡p key management message - please ignore” appearing and disappearing in the Inbox. It has also happened that a number of them (in the TB profile that didn't show the p=p addon each time upon loading and many emails, in the other profile it happened just once with only one email) remained in the Inbox from where I deleted them.

    A number (but not all - why ?) draft emails cannot be decrypted even though I do not remember encrypting them, and they were drafted before installing p=p. After removing the p=p addon I could decrypt them again using OpenPGP, but to get this working I first had re-activate Enigmail and migrate all the keys again (after which I could disable enigmail again).

    The bar that's supposed to show the security status is only shown sometimes when it can't decrypt (grey bar) - then it's shown at the top of the email.

    What is the folder "pEp" (sub folder of the Inbox) for ? Can I delete it ?

    In the p=p preferences under the compatibility tab, once a file has been selected for import, the field can't be cleared anymore.

    I have removed the p=p addon for now, and hope you can make some changes. I'll be glad to try again.

    In your tutorial that is shown when first starting Thunderbird as well as on https://www.pep.security/docs/thunderbird.html it states that trustwords should be compared by phone, but I'd surmise that's not a very secure way of exchanging trustwords. Perhaps suggest using a more secure method, like Signal, instead ?

    The link https://www.pep.security/docs/thunderbird on https://www.pep.security/en/faq/ is incorrect, it should presumably be https://www.pep.security/docs/thunderbird.html

  • Dec. 18, 2020, 5:35 p.m.

    The E-Mails you see disappearing are used for grouping devices for syncing keys and eventually more things like calendar and contacts across all devices using this account.
    They will with an upcoming update be stored in the freshly created pEp folder so they do no longer trigger notifications and irritate users.
    If you disable sync for the account you will no longer see them.
    They should be gone after a couple of minutes.

    It is rather unlikely to intercept a phone call, credibly impersonating the other persons voice and doing this when there is a user initiated comparison of trust words.
    If you sync your own devices, this can be done quickly by just looking at the screens.
    You can of course do it with any other independent second channel of your choice , like an encrypted phone call or meeting people in person.

    Looking at your drafts problem would be easier if you could share Logs from your application.

  • Members 8 posts
    Dec. 18, 2020, 5:42 p.m.

    Where could I find these logs ?

  • Dec. 18, 2020, 5:44 p.m.

    In Thunderbird it is Extras>Developer Tools > Error Console, usually the shortcut is ctrl+shift+j.
    It allows us to see what TB & addons are doing.

  • Members 8 posts
    Dec. 18, 2020, 6:58 p.m.

    Ok, on Mac it's cmd+shift+j. I sent the log to you at support@pep.security.

    Wrt. the key management messages, if you have multiple identities a lot of extra messages for those other (non-default) identities appear that stay in the inbox. Only the default identity is stored in the pEp subfolder and eventually deleted.

  • Dec. 19, 2020, 9:01 a.m.

    Hi Axel, wow, you've run into a lot of issues. All those can be resolved. I'll try to answer when I find the time, likely tonight (10 hours from now).

    EDIT: Please let us know which OS (operating system) and which version of TB (Thunderbird) you're using. At a guess it's Windows since the add-on was only installed into one profile, on Mac we hit all profiles, and TB 68 as Enigmail still seems to work. Or are you referring to TB's new OpenPGP implementation in TB 78?

  • Members 8 posts
    Dec. 19, 2020, 2:24 p.m.

    I run Thunderbird 78.5.1 on my MacBook Pro (15 inch, 2018) running MacOS 10.15.7. I also use the p=p Android client on a Pixel 2. Without the pEp addon, OpenPGP works fine.

  • Dec. 19, 2020, 3:10 p.m.

    OK, let's see:

    Problem 1)

    I use two Thunderbird profiles but only one shows the p=p addon.

    Since TB 68, TB has the "profile per install" feature, that means that it distinguishes between regular release, beta and Daily installations. Each installation has one or more dedicated profiles, and it's not advisable to run a - say - beta installation in a release profile. Let's assume that you only have a regular release installation of 78. You can still have two or more profiles, one being the default for the installation. One Mac, which you have, we only install into the last used profile. On Windows, it's different, we present a list of all default profiles if there are multiple installations.

    How to install into the second profile: Open the profile folder of the profile where pEp was installed via "Help > Troubleshooting Information", Profile folder, Open Folder. In there is a folder "extensions" and in there you'll see the pEp add-on, it's called pEp4Tb@pEp.security.xpi. Start TB on the other profile and install the add-on from file. Sorry about this clumsy install, our market strategists were of the opinion that Mac users only have one install and one profile.

    Problem 2)

    emails with subject “p≡p key management message - please ignore”
    What is the folder "pEp" (sub folder of the Inbox) for ? Can I delete it ?
    It has also happened that a number of them remained in the Inbox from where I deleted them.

    These e-mail are used for synchronising between multiple devices. That's called "pEp Sync". You can globally disable pEp Sync, or you can disable it per TB identity. Please check the pEp Options which you can find under Tools or in the Hamburger/Application menu. After arriving in the inbox, Sync messages are moved to the pEp folder. Please don't delete that folder. A clean-up happens every 10 minutes and older message are removed from the pEp folder. They are also removed from the inbox. If they don't get removed from the inbox, then the inbox needs a repair since its index is corrupt. To repair the inbox, right-click, select "Properties" from the context menu, then "Repair Folder". For an IMAP folder, that will likely re-download all messages. You can also remove those messages manually.

    Problem 3)

    A number draft emails cannot be decrypted even though I do not remember encrypting them

    Sadly, once you enable OpenPGP in TB, all drafts are encrypted. There has been some discussion in the TB community to make draft encryption optionally like it was in Enigmail, but I don't know whether or when that will be implemented, see bugzilla.mozilla.org/show_bug.cgi?id=1672047. pEp doesn't have that problem since it has the concept of a "trusted server". So if you store your drafts on a trusted server, or in Local Folders, which you can set to "trusted", then drafts are not encrypted. Also see bugzilla.mozilla.org/show_bug.cgi?id=1650551#c28

    If after installing pEp for Thunderbird something couldn't be decrypted, then the installation didn't import your private key(s).

    Here some background. Enigmail in TB 68 or earlier used GnuPG as a backend. The OpenPGP implemetation in TB uses the different backend called RNP. So all that Enigmail for TB 78 does is migrate the keys from GnuPG to RNP.

    The installation of pEp migrates keys from GnuPG to pEp's own storage. On Mac, that's in your home directory in a subdirectory .pep. The database consists of keys and management DB files. You can also import you keys manually, that works for private and public keys.

    So I suggest the following: Delete the .pep directory (I hope it's not locked, not a Mac expert) and restart the Mac. That should give you a fresh start. Then install pEp for Thunderbird again. That should migrate all the keys from GnuPG, but not any keys you might have created in TB using OpenPGP. If you've always used the same private key, that key should have been imported. Or you can import it manuall.

    Problem 4)

    In the p=p preferences under the compatibility tab, once a file has been selected for import, the field can't be cleared anymore.

    Yes, we'll look into that in a future version. However, use the browse button to select another key to import. Clearing the field would just be a cosmetic option.
    EDIT: It's s file picker field and the content can't be cleared. Check the "new mail sound" in TB, that also can't be cleared. If you find it totally annoying, we could clear the related preference on every restart.

    Problem 5)

    tutorial states that trustwords should be compared by phone, but I'd surmise that's not a very secure way ...

    Will refer that to the product designers.

    Problem 6)

    The link https://www.pep.security/docs/thunderbird on https://www.pep.security/en/faq/ is incorrect, ...

    Will refer that to our web designers. It's the:
    your question might be covered by our user manual which can be found at https://www.pep.security/docs/thunderbird

  • Dec. 19, 2020, 4:04 p.m.

    Hi, Alex,

    the side channel for Trustwords is not dependent on cryptographic features but on the impression a person has if he or she is really talking to the expected person or not. Therefore, cryptographic side channels don't help.

    The problem of the Turing test is comparable. While the Turing Test is checking “am I talking to a real person”, the Trustwords check contains the check for “am I talking to a real person AND is this really the very person I want to exchange text messages with”. People usually are hard to fox when they're having a physical meeting with a person they know. It's less good if they've got a video conference or a phone call, but most people still become skeptical if someone wants to play a role of another person there in case they know this person.

    Yours,
    VB.