搜索 | 用户支持

防范以用户支持为名的诈骗。我们绝对不会要求您拨打电话或发送短信,及提供任何个人信息。请使用“举报滥用”选项报告涉及违规的行为。

详细了解

We put together a 40-page document with many screenshots concerning usability issues in Thunderbird security. Who's the right contact at Thunderbird to sent to?

  • 5 个回答
  • 1 人有此问题
  • 1 次查看
  • 最后回复者为 Wayne Mery

more options

Dear Thunderbird developers, dear Mozilla Foundation.

I belong to a team of German academics who use Thunderbird under Windows and Linux and we'd like to do so in the future. Nevertheless, there are some things which should be improved. We'd be happy to deliver our findings and afterwards (after you implemented it in a better way) do an exhaustive testing. We can even help with some bachelor theses if you support us in how to integrate the results into the default Thunderbird distribution.

We teach crypto courses for students and pupils. We collected their feedback and documented the issues people have with Thunderbird when performing encryption and signing messages.

How can we upload the 40-page pdf document to share our findings -- the website (https://support.mozilla.org/en-US/questions/new/thunderbird/privacy-and-security) only accepts images?

Our 40-page document contains scenarios (with many screenshots) preventing users from using TB for email security. The document's structure is like this: 1. S/MIME only; 2. S/MIME and Enigmail; 3. Enigmail only. There are things where the wording is just misleading; however, more things are just wrong.

We really hope that this documentation is helpful. Thanks a lot for your response.

Best regards, Bernhard

Dear Thunderbird developers, dear Mozilla Foundation. I belong to a team of German academics who use Thunderbird under Windows and Linux and we'd like to do so in the future. Nevertheless, there are some things which should be improved. We'd be happy to deliver our findings and afterwards (after you implemented it in a better way) do an exhaustive testing. We can even help with some bachelor theses if you support us in how to integrate the results into the default Thunderbird distribution. We teach crypto courses for students and pupils. We collected their feedback and documented the issues people have with Thunderbird when performing encryption and signing messages. How can we upload the 40-page pdf document to share our findings -- the website (https://support.mozilla.org/en-US/questions/new/thunderbird/privacy-and-security) only accepts images? Our 40-page document contains scenarios (with many screenshots) preventing users from using TB for email security. The document's structure is like this: 1. S/MIME only; 2. S/MIME and Enigmail; 3. Enigmail only. There are things where the wording is just misleading; however, more things are just wrong. We really hope that this documentation is helpful. Thanks a lot for your response. Best regards, Bernhard

被采纳的解决方案

One possible path is the following 1. Create a bug create a bug to which you attach the PDF. We'll make that a meta bug 2. You or someone else can make individual bugs out of each discrete issue in the proper product component (in bugzilla we create one bug per one issue), and we'll make each block the meta bug of step 1. 3. We can discuss how to proceed in cases where you have students who can fix bugs, and whether mentors are needed.

It might be a good exercise for members of the team to create the bugs. Note, enigmail is not part of Thunderbird. So where issues involve enigmail code, bugs must be filed against enigmail. Those can also be linked to the meta bug.

If there are things that might be big enough to be a "project, we might also discuss GSOC? See https://wiki.mozilla.org/SummerOfCode#2016 and https://wiki.mozilla.org/Community:SummerOfCode16 and https://developers.google.com/open-source/gsoc/timeline?hl=en We don't yet have ideas listed for 2016. The ideas of 2015 are at https://wiki.mozilla.org/Community:SummerOfCode15#Thunderbird

定位到答案原位置 👍 1

所有回复 (5)

more options

Bernhard, thanks for reaching out.

Are any issues in your document exploitable security exposures that are not currently in the public domain, and should not be public until they are fixed?

more options
Wayne Mery #answer-835039: Are any issues in your document exploitable security exposures that are not currently in the public domain

The document doesn't contain exploits, but usability issues, which prevent users from further applying email security or let them apply it in an unintended manner.

more options

选择的解决方案

One possible path is the following 1. Create a bug create a bug to which you attach the PDF. We'll make that a meta bug 2. You or someone else can make individual bugs out of each discrete issue in the proper product component (in bugzilla we create one bug per one issue), and we'll make each block the meta bug of step 1. 3. We can discuss how to proceed in cases where you have students who can fix bugs, and whether mentors are needed.

It might be a good exercise for members of the team to create the bugs. Note, enigmail is not part of Thunderbird. So where issues involve enigmail code, bugs must be filed against enigmail. Those can also be linked to the meta bug.

If there are things that might be big enough to be a "project, we might also discuss GSOC? See https://wiki.mozilla.org/SummerOfCode#2016 and https://wiki.mozilla.org/Community:SummerOfCode16 and https://developers.google.com/open-source/gsoc/timeline?hl=en We don't yet have ideas listed for 2016. The ideas of 2015 are at https://wiki.mozilla.org/Community:SummerOfCode15#Thunderbird

more options

1) Creating a bug and attaching the PDF worked well. Thanks.

2) The team I am working with is crypto related, so the main reasons for using TB are stability, multi-platform support, and good support of encryption. We agree "Enigmail" is not part of TB, but its functionality should be, as both standards (S/MIME and PGP) have a similar market share, they both should be supported by TB itself. This could guarantee a consistent way in using these two email encryption standards.

So our request is a built-in PGP support -- and as the Enigmail plugin has a broad user community we think it would be best to contact the author of Enigmail and discuss its integration into Enigmail. Some things there are solved more user friendly than in the current TB GUI for S/MIME.

> 3. We can discuss how to proceed in cases where you have students > who can fix bugs, and whether mentors are needed. Thanks a lot -- I'll get in contact with you if we have an according student.

more options