Feature #13649

Decide what to do with Memory Hole in Thunderbird

Added by anonym 2017-08-18 11:42:33 . Updated 2019-06-19 12:07:39 .

Status:
Resolved
Priority:
Normal
Assignee:
intrigeri
Category:
Target version:
Start date:
2017-08-18
Due date:
% Done:

0%

Feature Branch:
Type of work:
Wait
Blueprint:

Starter:
Affected tool:
Email Client
Deliverable for:

Description

By installing Enigmail we get the Memory Hole feature, which is disabled by default (presumably since it’s still experimental and not widely supported). However, TorBirdy 2.3 (not in Debian as of writing this) enables this feature in Enigmail, so before we upgrade TorBirdy we have to decide whether we want to enable this.

Memory Hole degrades UX significantly if you are a recipient without support for it: all such emails will have the subject “Encrypted Message” and will lack threading (due to dropped “In-Reply-To”). So, in practice (given that very few clients support Memory Hole) this means that Tails users will be a PITA for the vast majority of non-Tails users.

I think we should proactively disable it by setting

user_pref("extensions.torbirdy.custom.extensions.enigmail.protectHeaders", false);

Torbirdy ticket about this: https://trac.torproject.org/projects/tor/ticket/28493


Subtasks


Related issues

Related to Tails - Bug #15201: Disable Memory Hole for outgoing emails in Tails Resolved 2018-01-19
Blocks Tails - Feature #16209: Core work: Foundations Team Confirmed

History

#1 Updated by bertagaz 2017-08-18 14:16:20

anonym wrote:
> I think we should proactively disable it by setting
> […]

I agree! But we may also want to document how to set it back.

#2 Updated by spriver 2017-08-18 15:55:59

I’d like to have this implemented (as I also fell over this bug in plain Debian and got annoyed by it). I also like bertagaz’ idea of documenting how to switch back to the default, we already have a section “OpenPGP encryption with Enigmail” in the documentation of Thunderbird, this could fit in there IMHO.

#3 Updated by intrigeri 2017-08-19 13:37:49

bertagaz wrote:
> anonym wrote:
>> I think we should proactively disable it by setting
>> […]

> I agree!

+1

Now, I love the Memory Hole idea and I appreciate TorBirdy is proactively trying to push it forward. I would love to see us be part of those who help make it happen on the long-term, rather than on the side of those who de facto block it. This part of the discussion is not a blocker for applying the proposed change, and it might require another ticket. For now I’ll start here. One way we could do it is to announce that we’ll enable Memory Hole by default in Tails at $DATE, as a way to encourage MUA authors to add support for it. This should probably be coordinated with the Memory Hole community/authors’ strategy and timeline. E.g. there’s little chance that MUAs shipped in GNU/Linux LTS/stable releases will get Memory Hole support before the next release of said LTS, so I guess our deadline can’t realistically be before the Buster release + a couple months, i.e. in two years. Thoughts, opinions? dkg, what do you think?

> But we may also want to document how to set it back.

I see no particular reason why we should document this specific opt-in (currently obscure) feature more than thousands of other opt-in features in software we ship, so I strongly believe this should not be a blocker.

#4 Updated by sajolida 2017-08-19 16:51:31

  • Subject changed from Decide what to do with Mail Hole in Thunderbird to Decide what to do with Memory Hole in Thunderbird

#5 Updated by Anonymous 2017-08-20 10:40:38

As I will prepare the Torbirdy package for Debian, don’t you think we should simply add the pref to the Debian package directly?

#6 Updated by anonym 2017-08-22 10:56:42

u wrote:
> As I will prepare the Torbirdy package for Debian, don’t you think we should simply add the pref to the Debian package directly?

I would argue so, but it’s worth noting that dkg disagrees: https://github.com/ioerror/torbirdy/issues/33

#7 Updated by anonym 2017-08-22 11:01:58

I created a ticket on the dead upstream tracker which I’ll summarize here:

anonym wrote:
> dkg wrote:
> > anonym wrote:
> > > TorBirdy 2.3 sets `extensions.enigmail.protectHeaders = true`, enabling Mail Hole for all sent emails. However, Mail Hole significantly degrades UX for non-Mail Hole recipients, for example by setting a static subject (“Encrypted Message”) and breaking threading by dropping In-Reply-To.
> > I am surprised to hear that the initial implementation of memory-hole drops either In-Reply-To: or References: header. Has anyone reported that as a problem upstream?
> When Memory Hole is enabled I think protecting In-Reply-To and References makes sense since those otherwise would leak thread activity. So not a bug/problem IMHO.
> > setting the static subject (and having the actual subject inside the
> > e-mail, viewable by non-memory-hole clients) is a clear improvement,
> > not a degradation. Please don’t drop that advancement in torbirdy.
> I agree that Memory Hole is a huge improvement, but only when all participants use it. Those that lack support will unquestionably have a worse UX given the loss of Subject and threading. Or am I missing something? If not, then I argue that we should wait until Memory Hole support is more wide-spread; I fear enabling it now will be counter productive given that it makes OpenPGP even more inconvenient to use and adopt than it already is. (Case in point: we’ve already had some inconvenience within the Tails project, and if us cryptonerds have problems, I think it’s safe to assume average users will as well.)

#8 Updated by Anonymous 2017-09-11 15:55:22

I have pretty good news! I just prepared the new Torbirdy Debian package 0.2.3-1.
This is the release that enables Memory Hole by default. With enigmail from Debian Stretch, currently 2:1.9.8.1-1~deb9u, my email subjects get correctly decrypted. I briefly see “Encrypted message”, then I see the subject. So, my understanding right now is, that it is safe to enable this, at least in Debian. As for threading: this is unfortunately broken and I will report this upstream (dkg/enigmail/Thunderbird).
And with Schleuder it’s totally broken, so I’ll check if there is already a bug report upstream or not for this.

An option would be to disable Memory Hole in a Stretch backport or in Tails directly by disabling this preference.

This would allow to the aforementioned software developers (Schleuder, enigmail, Thunderbird) to have a bit more time to try to fix this before we ship it to users.

What do you think?

#9 Updated by Anonymous 2017-09-11 16:07:14

Update on Memory Hole in Schleuder: https://0xacab.org/schleuder/schleuder/issues/74 there are plans to implement it and I’ve asked for a timeline on their tracker.

#10 Updated by Anonymous 2017-09-11 16:36:56

Now, concerning the threading, I’ve created a threaded answer and in the encrypted part of my email, the headers persist:

Content-Type: multipart/mixed; boundary="o71DpCxQ3qQLbEQs9dFKIufk05I12fXSw";
 protected-headers="v1"
From: u <u @example.org>
To: u <u @example.org>
Message-ID: <151efb5d-02fe-7c96-53b2-f9bfcac39a3f@example.org>
Subject: Re: test
References: <6d423892-5a60-9a71-db42-662dcaa78ac3@example.org>
In-Reply-To: <6d423892-5a60-9a71-db42-662dcaa78ac3@example.org>

I’m a bit lost concerning which part of the setup is not able to show me threaded emails, is it Enigmail’s or Thunderbird’s fault? I’ve just sent an email to dkg, anonym & Sukhbir to ask for their insight so that I can report this somewhere.

#11 Updated by intrigeri 2017-09-12 07:19:36

> I have pretty good news! I just prepared the new Torbirdy Debian package 0.2.3-1. This is the release that enables Memory Hole by default. With enigmail from Debian Stretch, currently 2:1.9.8.1-1~deb9u, my email subjects get correctly decrypted. I briefly see “Encrypted message”, then I see the subject.

Excellent, thanks for testing! I assume this works even with current torbirdy/stable, right? (IIRC Torbirdy merely enables a pref, it doesn’t ship the Memory Hole code itself.)

> So, my understanding right now is, that it is safe to enable this, at least in Debian.

Agreed.

I’ll paste here the reasoning that lead me to the same conclusion (everywhere I’ve written “MUA” bellow, things apply to “encrypted mailing list software” as well):

My reasoning was that there must be some kind of wake up call for authors and users of MUAs, that states that after $DEADLINE, all the MUAs that support Memory Hole will enable it by default for outgoing email. And then these people have time to write the needed code or switch to a different MUA. The problem is, there’s no way to reach out to all these people easily (the devs can probably be reached, but I dunno how to write to all users of $MUA). The problem with my reasoning is that it’s very nice in theory, but not applicable in practice. So in some way enabling the thing in Torbirdy is perhaps the best wake up call one can send. It tells a number of innocent bystanders (like me) that they should switch to another MUA or improve the one they use. Then at a smaller scale (e.g. the Tails community) we can hear this wake up call and set our own deadline internally, after which it’ll be OK to send Memory Hole -enabled email. I dunno if the Memory Hole people reached out to MUA developers or not, so I’m not in a good position to tell if MUA devs have had enough time to react or not.

> An option would be to disable Memory Hole in a Stretch backport or in Tails directly by disabling this preference.

Wrt. Stretch backports: Torbidy is not there yet, and I don’t know if/when/why we’ll need it there, so let’s postpone this. Hopefully we’ll have clarified our thoughts & plans then :)

Wrt. Tails: as long as we stick to torbirdy/stable, we’re not affected. But I think we should be proactive and explicitly disable the pref now, so we don’t forget about it whenever we upgrade to Torbirdy 0.2.3 or newer for a totally unrelated reason (such as… switching to Debian testing :)

#12 Updated by Anonymous 2017-09-12 12:38:30

intrigeri wrote:
> > I have pretty good news! I just prepared the new Torbirdy Debian package 0.2.3-1. This is the release that enables Memory Hole by default. With enigmail from Debian Stretch, currently 2:1.9.8.1-1~deb9u, my email subjects get correctly decrypted. I briefly see “Encrypted message”, then I see the subject.
>
> Excellent, thanks for testing! I assume this works even with current torbirdy/stable, right? (IIRC Torbirdy merely enables a pref, it doesn’t ship the Memory Hole code itself.)

Absolutely.

> > An option would be to disable Memory Hole in a Stretch backport or in Tails directly by disabling this preference.
>
> Wrt. Stretch backports: Torbidy is not there yet, and I don’t know if/when/why we’ll need it there, so let’s postpone this. Hopefully we’ll have clarified our thoughts & plans then :)

Since I’ve uploaded a new version of Torbirdy today, we’re not that far from a backport for Stretch :)

> Wrt. Tails: as long as we stick to torbirdy/stable, we’re not affected. But I think we should be proactive and explicitly disable the pref now, so we don’t forget about it whenever we upgrade to Torbirdy 0.2.3 or newer for a totally unrelated reason (such as… switching to Debian testing :)

I think I should disable it in the backport directly.

I also created a page on the Debian Wiki, just in case people want to disable it manually: https://wiki.debian.org/TorBirdy

#13 Updated by anonym 2017-09-12 14:22:34

intrigeri wrote:
> My reasoning was that there must be some kind of wake up call for authors and users of MUAs […]

I completely agree that this has to happen at some point. But I don’t think now is the correct time. Memory Hole does not even have a full specification: the current draft doesn’t even say what do do with In-Reply-To/References. Given this I have very little trust in this “wake up call” strategy ending up with good results.

#14 Updated by Anonymous 2017-10-03 17:50:05

I discussed this a bit with intrigeri. What I did in the meantime is upload the new Torbirdy version to Debian, not disabling memory hole. I will not create a backport for Stretch so Tails will now continue to use the stable version.

However, we could in Tails use the version from testing and disable Memory Hole in Tails at least until more MUAs implement it.

#15 Updated by Anonymous 2017-12-04 19:08:53

Proposal from today’s monthly meeting:

- We disable Memory Hole for outgoing emails in Tails.

- We wait 1 more year before discussing again a strategy one when to enable it back.

- Keep an eye open on what other MUA and encrypted mailing list software are doing.
- Tweet about how cool Memory Hole is and that we want to enable soon but are blocked with other software.

#16 Updated by intrigeri 2017-12-05 09:13:40

  • Assignee deleted (None)

> - Tweet about how cool Memory Hole is and that we want to enable soon but are blocked with other software.

If I understood it right (not 100% clear from the meeting logs) you volunteered to do this. If yes, great, and I’ll be happy to review the phrasing if you wish. If not, please reassign to me and I’ll handle it :)

#17 Updated by Anonymous 2018-01-19 10:26:37

  • related to Bug #15201: Disable Memory Hole for outgoing emails in Tails added

#18 Updated by Anonymous 2018-01-19 10:29:04

  • Assignee set to intrigeri
  • Target version changed from Tails_3.5 to Tails_3.6

u wrote:
> Proposal from today’s monthly meeting:
>
> - We disable Memory Hole for outgoing emails in Tails.

→ created Bug #15201

> - Tweet about how cool Memory Hole is and that we want to enable soon but are blocked with other software.

→ I’d prefer if intrigeri handles this - your phrasing might be much more precise than mine! :) Deal?

> - We wait 1 more year before discussing again a strategy one when to enable it back.

I propose to leave this ticket here open for at least a year and get back to it in the beginning of 2019.

> - Keep an eye open on what other MUA and encrypted mailing list software are doing.

Same as above. -> please adjust the target version accordingly or drop it entirely when you did the tweet.

#19 Updated by intrigeri 2018-01-19 11:22:37

>> - Tweet about how cool Memory Hole is and that we want to enable soon but are blocked with other software.

> → I’d prefer if intrigeri handles this - your phrasing might be much more precise than mine! :) Deal?

Deal. I’ll ask you to review my phrasing.

I would also like us to ask the Memory Hole folks what their strategy is: I’ve reviewed the current state of things again last week and it’s still unclear to me (the specification is incomplete, guidance for email client developers is lacking on important aspects, and AFAICT Enigmail is the only thing with proper support right now, so Torbirdy enforcing Memory Hole now seems to be bound to result in building a “Memory Hole breaks stuff, let me get used to disable it and I won’t want to reconsider before years after it’s actually a good idea to use it” culture, which IMO is a bad strategy).

#20 Updated by intrigeri 2018-02-19 11:33:19

Regarding the “Memory Hole support in Enigmail breaks threads” issue: I’ve just confirmed it with 1.9.9-2 but it’s fixed in 2.0~beta1-1 (details.

#21 Updated by intrigeri 2018-02-19 12:01:14

intrigeri wrote:
> >> - Tweet about how cool Memory Hole is and that we want to enable soon but are blocked with other software.
>
> > → I’d prefer if intrigeri handles this - your phrasing might be much more precise than mine! :) Deal?
>
> Deal. I’ll ask you to review my phrasing.
>
> I would also like us to ask the Memory Hole folks what their strategy is:

Requested input from dkg.

#22 Updated by intrigeri 2018-02-19 12:01:27

  • Target version changed from Tails_3.6 to Tails_3.7

#23 Updated by intrigeri 2018-03-23 11:01:55

  • Target version changed from Tails_3.7 to Tails_3.8

I’ll ping dkg during the 3.8 cycle.

#24 Updated by Anonymous 2018-04-12 12:19:29

Uploaded new version of Torbirdy to Debian unstable today. This version has by default support for Memory hole and Autocrypt.

#25 Updated by intrigeri 2018-05-24 09:58:06

  • Target version changed from Tails_3.8 to Tails_3.9

intrigeri wrote:
> I’ll ping dkg during the 3.8 cycle.

Done

I’ll ping again (if needed) in a couple months.

#26 Updated by intrigeri 2018-05-25 06:42:28

  • Target version changed from Tails_3.9 to Tails_3.10.1
  • Type of work changed from Discuss to Wait

intrigeri wrote:
> intrigeri wrote:
> > I’ll ping dkg during the 3.8 cycle.
>
> Done

And dkg replied already :)
His reply clarifies what remains to be done and where before we can tweet about this topic.
I’ll come back to it in a few months and reassess the situation, in order to decide whether we can write this tweet.

#27 Updated by intrigeri 2018-08-20 10:14:08

  • Target version changed from Tails_3.10.1 to Tails_3.11

Would be nice to reach a conclusion in time for the Buster freeze because if there’s not sufficient progress for us to even tweet about this, I doubt Buster should be released with a Torbirdy that forcefully enables Memory Hole.

#29 Updated by intrigeri 2018-11-17 15:18:27

  • Description updated

I’ve filed a Torbirdy ticket https://trac.torproject.org/projects/tor/ticket/28493 where I explain why IMO Torbirdy should stop fiddling with protected headers settings. If nothing happens there fast enough, I might propose that we implement this in Debian in time for the Buster freeze.

#30 Updated by intrigeri 2018-11-17 15:18:43

  • Target version changed from Tails_3.11 to Tails_3.12

#31 Updated by intrigeri 2019-01-12 16:23:47

  • Target version changed from Tails_3.12 to Tails_3.14

intrigeri wrote:
> I’ve filed a Torbirdy ticket https://trac.torproject.org/projects/tor/ticket/28493 where I explain why IMO Torbirdy should stop fiddling with protected headers settings.

No reply there yet.

> If nothing happens there fast enough, I might propose that we implement this in Debian in time for the Buster freeze.

I’ve just tested the whole thing on sid and I confirm that this Torbirdy code is a no-op nowadays, due to the corresponding Enigmail pref having been renamed. So thanks to this bug, in Buster Torbirdy will have the behaviour we want, i.e. it won’t forcibly enforce protected headers. Hopefully nobody will want to “fix” that.

IMO no further urgent action is needed, so I’ll come back to it in a few months for yet another review of the state of this ecosystem.

#32 Updated by intrigeri 2019-01-12 16:24:14

  • Target version changed from Tails_3.14 to Tails_3.15

#33 Updated by intrigeri 2019-06-08 10:20:36

#34 Updated by intrigeri 2019-06-08 17:25:09

  • Status changed from Confirmed to Resolved

No recent update on the remaining blocker (having a more complete spec for developers MUA and encrypted mailing list managers) for us to tweet about this ⇒ we can’t move forward with the strategy we decided; the situation is essentially unchanged since we discussed this last so I’m giving up; I see nothing more we can do ourselves at this point so Memory Hole will remained disabled by default in Tails for now.

If anyone wants to reopen this discussion, please read the “[Tails-dev] Memory Hole: strategy and timeline” thread and this ticket.

I’ve pinged on the Torbirdy bug but that’s not a blocker here.

#35 Updated by anonym 2019-06-19 12:07:39

  • Target version changed from Tails_3.15 to Tails_3.14.1