I am writing this post because Thunderbird 78.x has issues for advanced PGP users. But first, I’d like to say a few words to all the frustrated users: I hear you, I too am displeased with this update, but while it’s easy to complain and rant, we should look at the bright side and still be grateful that Mozilla thought of including PGP, as it makes it more accessible to users that are not as tech-savvy. It’s always good to push for privacy and having it built-in, and easy to use! But, there are issues with the new built-in PGP that we should talk about…

Preface

You know, as I stated in my open letter: Security and privacy is important to me. Of course, this means I use PGP, or more specifically, GnuPG with smartcards.

I like FOSS, especially if it’s cross-platform as I use Linux, Mac and Windows (alphabetical order, no preference stated) and it’s great to be able to use your software on all your machines across all systems, and for free! The popular email client, Thunderbird is one such application that meets these criteria, and so is GnuPG (or GPG for short), a popular application that implements the OpenPGP specification.

GnuPG has a ton of features, among those features is the support of smartcards. Keep this in mind.

Now, let’s take a look at the situation in Thunderbird before, and then since version 78.x and what we can do about it.

The situation before version 78.x

Before Thunderbird 78.x (namely 68.x), if you had both Thunderbird and GnuPG installed, all you had to do was to install a Thunderbird addon known as Enigmail. This addon basically bridged the gap between Thunderbird and GnuPG, and essentially allowed you to experience full PGP within Thunderbird.

Of course this meant you had to install GnuPG on your system, then an addon, then generate and manage keys, and – although powerful – it was overall not as user-friendly as it could be.

So, even I as an advanced user, was excited that Thunderbird would come with PGP built-in in 78.x as I thought they might ship it with GnuPG, and something like Enigmail but built-in and maybe more user-friendly. At the very least having no third-party things to install sounds better. And convenience is nice, right? But I was wrong.

The situation since version 78.x

You see, Mozilla, the people behind Thunderbird did not ship it with GnuPG. Instead, they use a library called RNP. This library does not provide full-featured PGP.

RNP does for example, not support the use of smartcards. Which, basically means no PGP at all for me or any user with smartcards. Thunderbird does currently also not support using subkeys with detached primary key. Which means any advanced user that did a proper, more secure PGP setup, can also not use PGP with Thunderbird for the time being.

So, you might think to yourself: Just install Enigmail! Well, here’s the thing: Enigmail does not work with Thunderbird 78.x!

Thunderbird 78.x has hidden settings in the advanced configuration editor, that you can use to tell it to use external GnuPG, which is great! Except it doesn’t really work…

It did not work for me, and I tried many things, on different systems, followed different guides (including the official Mozilla Wiki), and heard the same from other users through the fediverse. For a friend of mine, setting up Thunderbird to use external GnuPG on Windows made it outright crash whenever trying to open a PGP encrypted email!

And this is basically the problem. On one hand, Mozilla was cool enough to include (some) PGP in Thunderbird which in theory makes it more accessible as you can generate and use keys with a few clicks, which is also good for us advanced users as we can then email privately with friends that would otherwise be unable to use PGP. But on the other hand the execution was bad in such a way that it stabs all the advanced users that were already using (advanced setups of) PGP.

What to do about it (for now)

Honestly, my advice to anyone that uses Thunderbird and depends on advanced PGP (smartcard etc.) for now: Just downgrade to Thunderbird 68.x and install Enigmail. It seems it will still receive updates for now and there’s no forced update to 78.x (yet). I just tried, and got an (undocumented) update for the 68.x version (namely 68.12.1).

Let’s hope they will keep providing security updates for 68.x until they have (hopefully) sorted out PGP in version 78.x so that we will eventually be able to upgrade, but without being pushed into a broken environment prematurely.

You can get the latest version of 68.x from here (official download link): https://download-installer.cdn.mozilla.net/pub/thunderbird/releases/68.12.1/

Please note that, Thunderbird will notice that the current configuration is from a newer version after downgrading, which you cannot use. This will result in a little window informing you about that on startup. Your only two options are to quit the application, or to create a new (configuration) profile. This means you will have to set up your accounts again but at least PGP will work again (with Enigmail and GnuPG)!

Thank you and goodnight! :D

UPDATE 2020-NOV-29

Hey everyone, this article drew many visitors after it was posted on HN (thanks, kind stranger!) and I did read through the comments (both here and some on HN)!

I’d like to address some things:

  1. I saw a tl;dr on HN which mentioned the downgrade recommendation, but without the details. As I understood it, it got criticized as you need to stay up to day for security reasons. And I agree with that. However, I’d like to make it clear that I only recommended a downgrade for now, as it seems the 68.x branch is still getting updates, as I experienced myself. As long as Thunderbird does not drop support for 68.x, and does not force an upgrade to 78.x, I think downgrading is fine. When Thunderbird finally drops support for 68.x, I would of course not recommend staying on outdated software.
  2. When Thunderbird 68.x reaches EOL, and if 78.x hasn’t sorted out the issues with PGP by then, an alternative, if you’re on Windows and have MS Outlook, would be the free GpgOL extension for Outlook that comes bundled with Gpg4win. Please note that I don’t have experience with this myself, but I’d like to point it out anyway in case it’s useful. There’s also a (paid) Apple Mail extension that comes with gpgtools, however I do not recommend it unless you don’t mind paying for each new major version every year.
  3. Thank you for informing me that Thunderbird is not part of Mozilla Corporation anymore, but as I understood it, still part of Mozilla Foundation. So, I guess in that case I’m addressing the Mozilla foundation. If this is still wrong, please let me know.

PS I was exhausted and it was late at night when I originally wrote this article, and I wasn’t fully happy with it but people seemed to like it and had very constructive feedback which really helps. Thank you all for stopping by and reading it! <3