Tell HN: Enigmail 2.0 to automatically encrypt e-mails

70 points by vx17h ↗ HN
It's four days ago the pEp-Development branch was merged into the master source code repository of Enigmail, meaning the pretty Easy privacy (p≡p) technology is now at Enigmail's core to encrypt e-mails:

https://sourceforge.net/p/enigmail/source/ci/382c7dc3cc84a0fa9648ad5f7054e725d32eda22/log/?path=

In fact, for novice users (or such without OpenPGP setup), the new p≡p scheme will be used (as "junior mode") to automatically create keys and distribute them to the communication partners: https://twitter.com/pEpCouncil/status/792233350463447040

p≡p has a broad, cross-platform approach as how to automatically encrypt all "written digital communications".

Furtherly, its technologic core (p≡p engine) underwent a code audit: https://pep.foundation/blog/press-release--pep-releases-first-code-audit-of-the-pep-engine/index.html

A beta of Enigmail/p≡p will be launched at Mozilla Festival in London, this Sun: https://twitter.com/pEpCouncil/status/791575091343687680

Good video talks explaining what p≡p actually is, were given at the GNU Hacker Meeting (GHM) in Rennes, France: https://gnunet.org/ghm2016

13 comments

[ 3.2 ms ] story [ 37.5 ms ] thread
Will pep handle key exchanging as well? Looks interesting, but I can't find out if/how it handles this?
Yes, the public key is just attached to the outgoing messages and automatically imported by p≡p-capable software.

That's kind of a TOFU (Trust On First Use) approach, but you can verify trust by comparing the fingerprints, in p≡p by default represented as dictionary words in your natural language (somewhat similar to Signal). That's suitable for comparison by phone (=> quickly done).

Is there an indication of trust status? I.e. "auto imported" vs. Manually verified, and more importantly what happens when fingerprints change?
Yes, there's a Privacy Status in p≡p, there being four different states: no color (mostly today: insufficient crypto, weak crypto, unknown), yellow/orange for accepted, transparent and well implemented crypto, green for crypto avoiding the MITM (Man-In-The-Middle) possibility (after the involved peers checked their Trustwords and accepted them to be trustworthy) and red if the p≡p engine detects an attack.

Cf. the documentation for screenshots how this looks (nowadays): https://prettyeasyprivacy.com/docs

Messages from or to a contact can also show red, I forgot to mention, if the user decides that the key pair used by that contact is not trustworthy. That can make sense if you see from the contents of a message (and subsequently perhaps by a phone call, adding evidence to that) that someone's in between or the key pair in place is not really belonging to the contact, but made up.
(comment deleted)
For whoever doesn't know what Enigmail is... it's a security add-on for Mozilla Thunderbird. It allows you to use OpenPGP to encrypt and digitally sign your emails and to decrypt and verify the messages received.
Mods, can we have a "Show HN" prefix for this please?

I didn't realize this was just a discussion thread here, and I opened two tabs like I usually do - one for the main link and one for the HN thread. In this case I got two tabs with the same HN thread. :)

Will this be supported in Postbox 5? I know enigmail 1.2 is but I won't pull the trigger on Postbox 5 yet until I can confirm this add on will work with it.
That should be possible, because IMHO Postbox (as a fork) also works with Enigmail.
"I can neither confirm nor deny this will work." :) Possible and does are a little different :)
Well, first of all: does it work now with Enigmail v1.9.5? That would be good sign already. We will have to try ...
Well Postbox lists a link to Enigmail 1.2.3. So it's a little outdated. Which makes me wonder when or IF the enigmail folks will make 2.0 available for postbox.