back to article Enigmail PGP plugin forgets to encrypt mail sent as blind copies

Enigmail has patched a hole in the world's most popular PGP email platform that caused mail to be sent unencrypted when all security check boxes were ticked. The dangerous hole in the Mozilla Thunderbird extension affected email that was sent only to blind carbon copy recipients on all versions below 1.7.2 released last month …

  1. Destroy All Monsters Silver badge

    I don't even know anymore

    This seems to demand the invention of a new class of facepalm all on its own.

    Writing secure code is NOT like driving a dune buggy, FFS.

    1. Steve Crook

      Re: I don't even know anymore

      This is probably the best laugh I'm going to have all day.

      All I could see was some massive compound 'if' statement and an 'if' that really ought to have had braces.

      Brave of him to own up to it. At least he didn't try to claim that the NSA had hacked his repository...

    2. The Man Who Fell To Earth Silver badge

      I'm a little confused

      The description of the error in the release notes is ambiguous.

      " Even when marked to be encrypted, an email with only Bcc recipients is sent in plain text!"

      Does this mean that the bug only shows up & sends mail unencrypted to the BCC recipients when the BCC field is used but the TO & CC fields are blank, or does this mean that the bug always sends mail unencrypted to the BCC recipients independent of the status of the TO & CC fields?

      These are two very different behaviors with two very different probabilities of being triggered due to the way people often use BCC. My expedience with BCC both sending and receiving email is that the TO field is always filled with some address, sometimes a dummy address (such as the sender's). If the "only Bcc recipients" requirement is in fact strictly the case, then most instances of using BCC that I've seen would not trigger the bug.

      This just underscores how describing bugs needs to be done with precision.

  2. Ole Juul

    If you have nothing to hide . . .

    . . . use BCC.

  3. Chairo

    No, no, you got it all wrong!

    "As a serious user (dissident, whistle-blower, diplomatic or military user) I would now be waiting for the bad guys come and get me with their water-board,"

    It's the good guys that play around with waterboards. the bad guys simply shoot you.

    Edit: Icon - 'cause the whole thing seems to be a bad joke...

    1. asdf

      Re: No, no, you got it all wrong!

      Good guys huh? Looks like you put up the joke alert correctly but for the wrong reason.

  4. Cipher

    Why not...

    ...encrypt the mail content outside the mail client? Wouldn't this remove a point of failure? Easy to do, and one never has to worry about things like this...

    1. Anonymous Coward
      Anonymous Coward

      Re: Why not...

      No, it would ADD points of failure, particularly for e-mail with multiple recipients, because now you have to manually make sure you encrypt the message each time for each recipient. And make sure each one is done with the right key and matched up and so on.

      I don't like having to resort to external programs because it breaks the KISS principle and introduces additional potential points of failure.

  5. Anonymous Coward
    Anonymous Coward

    Could not see the forest for the trees

    This is a good lesson learned, actually.

    I bet all the attention was going into getting the encryption routines exactly right and nobody checked to see they were being called at all in every case they were required.

    I've had oversights like that myself (not on such a high profile product, thankfully), but this is a good reminder to take a step back now and again and take a panoramic look at what I'm doing.

  6. frank ly

    ... if one wants to 'Hide BCC recipients' ...

    I thought the entire point of BCC was that nobody else (apart from you, the sender) knew that they had been sent a copy? Have I misunderstood something?

    1. Seanie Ryan

      Re: ... if one wants to 'Hide BCC recipients' ...

      @ frank ly

      BCC = hide recipients

      PGP = encrypt emails

      2 different items.

      Just in this case, if a PGP encrypted email was sent via BCC, then it wasn't encrypted, even though it was meant to be. Make sense?

      Anyway, i am sure the 2 people left who use PGP don't need to use BCC as they only email each other. ;-)

    2. Martin-73 Silver badge

      Re: ... if one wants to 'Hide BCC recipients' ...

      I suspect it means 'hide from your screen now' (That's how I would understand such a question anyway)

      I wonder if the pgp plugin was screen scraping?

    3. Adam 1

      Re: ... if one wants to 'Hide BCC recipients' ...

      I took it to mean that the recipients in the to and cc fields would be moved to the bcc field if you answered yes.

    4. razorfishsl

      Re: ... if one wants to 'Hide BCC recipients' ...

      It depends……..

      some Shitty clients send a single email to a server, which then takes the BCC list strips it and sends a separate email to each user, with the BCC blank… but some have bugs…….

      a GOOD email client, sends separate emails to the server with NO reference to each other, so even the server does not get to know the BCC list. ( yep if you have a BCC of 200 addresses it sends the email 200 times to the server… and yes the server could work out the list, but at least it negates BCC bugs)

      Web based systems ( gmail, etc) are a mixed bunch.. But then using BCC with Gmail & web front end makes no sense since google would get your BCC list….

      Absolutely the WORST piece of crap I dealt with was 'Groupwise' By Novell.

      Their crappy SMTP gateway…….

  7. Anonymous Coward
    Anonymous Coward


    It's surprising that such an error could have been made: didn't the developers consider at least basic functional testing before release? Even more surprising that no-one noticed (or does it imply that this was a rarely-used function?).

    Still, I guess it's fair to say that users should do their own basic tests on new releases to ensure critical functions that they rely on still work, rather than relying on blind trust.

    1. Cipher

      Re: Surprising

      Good point, I imagine that sending BCC only mail is rather rare though. I can't remember ever doing it, its not something I would consider doing...

      1. Martin-73 Silver badge

        Re: Surprising

        I have, there are routine areas where even amateurs use this, I used to volunteer with a mental health charity that was tied to the NHS on a project. Due to patient confidentiality, mass emails always got sent with every recipient in the BCC field. (Admittedly we'd not have been using PGP, but I could see situations where you'd use both, routinely.

    2. Bob Camp

      Re: Surprising

      Well, the users got what they paid for.

    3. Adam 1

      Re: Surprising

      To notice, you would need to be running wireshark or fiddler or something. At the ui level, how would you know...

  8. I. Aproveofitspendingonspecificprojects

    This didn't happen

    Prior to the official patch, the bug was fixed only in a nightly Enigmail build while the vulnerable stable version remained open for download without prominent warning.

    No way!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022