Tails

#2 Updated by sajolida 2018-09-07 12:17:03

• File preferences.png added

#6 Updated by intrigeri 2018-09-11 09:41:50

• Status changed from New to Confirmed
• Assignee set to sajolida
• QA Check set to Info Needed

sajolida wrote:
> Ah, and goupille is just the first such email in the list but I have a whole bunch of others, like Alan and other folks.

Just guessing at this point: it might not be coincidental that goupille and Alan’s key recently expired and was updated late (either very close before the expiration date or after it). Perhaps at some point you’ve received email from them, with their autocrypt attaching their expired key, your autocrypt importing it and deciding it was not usable. It might be useful to check if the “whole bunch of others” are similar cases.

#7 Updated by sajolida 2018-09-11 16:43:43

• Assignee deleted (sajolida)
• QA Check deleted (Info Needed)

The “bunch of others” are actually two. I don’t think they have been updated recently because their expiry dates are in early June 2019 and late May 2023, so assuming that when people postpone their keys they postpone it by at least one year that doesn’t match the release of even 3.8 (ie. worse case they were already updated for 3.8).

#8 Updated by intrigeri 2018-09-18 15:38:28

• Assignee set to intrigeri

goupille wrote:
> sajolida wrote:
> > Something weird is that in my autocrypt preferences, I have unchecked the following preference: Prefer encrypted emails from the people you exchange email with. Why would this be off by default?
>
> This option is not checked for me neither and I’m pretty sure I didn’t do it myself

This maps to the mail.server.default.acPreferEncrypt pref, whose default value is 0 which means “nopreference”; the code has a comment that says “Autocrypt default according spec”.

When this pref is set to 0, a Autocrypt-Prefer-Encrypt: nopreference is added to the “Autocrypt Setup Message” (not sure what this is yet); otherwise a Autocrypt-Prefer-Encrypt: mutual header is added. I think that’s used for some kind of negotiation between MUAs, and once the negotiation is done successfully, per-recipient rules are updated (updateRuleForEmail).

Now, I see there’s a setAutocryptForOldAccounts function that’s supposed to set the Autocrypt prefer-encrypt option to “mutual” for all existing accounts. It’s run by upgradeTo201 which is run if vc.compare(oldVer, "2.0.1a2pre") < 0. So upgrading to Tails 3.8 should have triggered this… if the code works as planned and the upgrade path was indeed followed successfully to the end.

If the migration to 2.0.1+ failed for some reason, and thus acPreferEncrypt is set to 0 for your email account, then I guess the Autocrypt negotiation will lead to per-email rules being added that disable encryption.

Recovering from such failed migration paths is not very easy. It seems doable to force setAutocryptForOldAccounts to run on every Thunderbird startup for a while, so at least Autocrypt negotiation stops generating rules that disable encryption by default. But I guess that won’t do anything about the problematic per-recipient rules, which I’m quite reluctant to touch programmatically, so sadly, perhaps that second part will be better solved through documentation. (Now, some users might have successfully migrated and then opted-out from Autocrypt, which we would revert if we do that.)

FWIW I see Openpgp: preference=signencrypt in the email sent by sajolida recently.

> I also have per-recipient rules that are marked as “always”. But not everybody :)

Just curious: is this an Autocrypt-generated rule i.e. one that says {autocrypt://… in the “Email” column? Don’t spend too much time on this, I doubt I’ll be able to do much with the answer anyway.

Also, I could perhaps debug this more easily if someone affected shared privately with me their ~/.thunderbird/profile.default/enigmail.sqlite. You might want to take a look at it e.g. with sqlitebrowser first though :)

#9 Updated by intrigeri 2018-10-10 14:56:24

• blocks Feature #15506: Core work 2018Q4: Foundations Team added

#11 Updated by intrigeri 2018-10-20 11:06:06

• Target version changed from Tails_3.10.1 to Tails_3.11

#12 Updated by hefee 2018-11-06 15:30:49

• Assignee changed from intrigeri to hefee

#13 Updated by intrigeri 2018-11-07 15:36:41

• related to Feature #15657: Check which version of Enigmail we should ship added

#16 Updated by hefee 2018-11-29 16:01:11

• File per-user-edit-rules.png added

Okay I can reproduce this issue. I nailed down the issue: Autocrypt adds own per-recipient rule with (never,never) on top of the rule list and that overwrites the other per-recipient rules. If the rule order is changed (autoencrypt rule moved to the bottom), the other rules are preferred and an encrypted mail is sent by default according to the other rules. If there is no other rule available, the autoencrypt rule is preferred over the general setting “Encrypt messages by default” from “Account Settings”.

• I would recommend that Autocrypt adds his new rules on the bottom, to not overwrite existing rules.
• Autoencrypt should not use “never” but better either “yes, if selected in Message Compositor” or even better add an other option, something like “not preferred by recipient”. That should make sure, that the general setting “encrypt messages by default” is not been overwritten by Autocrypt.
• Enable “Prefer encrypted emails from the people you exchange email with.” by default for Tails. This inform recipients, that you prefer to get encrypted replies. Technically this adds “prefer-encrypt=mutual” to the Autocrypt header.

> This maps to the mail.server.default.acPreferEncrypt pref, whose default value is 0 which means “nopreference”; the code has a comment that says “Autocrypt default according spec”.

not sending this header part means, that you don’t have a preference about, if you want to get encrypted replies or not. That’s why we want this preference to be enabled by default, to indicate, that we prefer encrypted replies.

> When this pref is set to 0, a Autocrypt-Prefer-Encrypt: nopreference is added to the “Autocrypt Setup Message” (not sure what this is yet); otherwise a Autocrypt-Prefer-Encrypt: mutual header is added. I think that’s used for some kind of negotiation between MUAs, and once the negotiation is done successfully, per-recipient rules are updated (updateRuleForEmail).

“Autocrypt Setup Message” is a way to exchange the private key material between your devices. And you also want to exchange, if you prefer receiving encrypted messages, or not. IMO don’t bother about “Autocrypt Setup Message” for this issue, as it has nothing to do with this.

#17 Updated by hefee 2018-11-29 16:01:26

• Estimated time set to 1 h

#18 Updated by hefee 2018-12-02 10:57:16

• Estimated time changed from 1 h to 4 h

#19 Updated by intrigeri 2018-12-02 21:51:04

• Status changed from Confirmed to In Progress

#21 Updated by intrigeri 2018-12-03 15:34:52

• Assignee changed from hefee to anonym

#22 Updated by hefee 2018-12-03 16:09:15

• Assignee changed from anonym to hefee

#23 Updated by hefee 2018-12-03 16:19:50

• Target version changed from Tails_3.11 to Tails_3.12

As this needs to be coordinate with upstream - we need more than “just a few days” to fix it. The Workaround is done in a subtask: Bug #16186

#28 Updated by hefee 2019-01-04 10:03:54

• blocked by deleted (Feature #15506: Core work 2018Q4: Foundations Team)

#29 Updated by hefee 2019-01-04 10:04:45

• blocks Feature #15507: Core work 2019Q1: Foundations Team added

#30 Updated by anonym 2019-01-30 11:59:33

• Target version changed from Tails_3.12 to Tails_3.13

#31 Updated by hefee 2019-02-08 15:44:00

• Assignee changed from hefee to intrigeri

As there are no new issues for Autocrypt to send unencrypted messages, I’ll recommend to close this bug as solved. As I don’t see, that more work is needed. The open parts “Document Autocrypt”/ “Disable Autocrypt even for existing persistent Thunderbird profiles” is tracked in subtickets.

#32 Updated by intrigeri 2019-02-09 15:53:07

• Status changed from In Progress to Resolved
• Assignee deleted (intrigeri)

Agreed, even though I thought this ticket was meant to track fixing this upstream so we can re-enable Autocrypt. Perhaps it would be worth to have a “Re-enable Autocrypt” ticket?

I’ve unparented Feature #16223: while it’s related, it’s not a blocker to close this one.

Also, note that we can’t close a parent task as long as it has open subtasks.

#33 Updated by hefee 2019-02-21 17:59:18

• related to Feature #16477: Re-enable Autocrypt added