[tor-talk] TorBirdy suggestion: block subject header when encrypting email

[Shew]

> Yes, I agree that is bad policy, however, TorBirdy is not Enigmail and
> neither require each other to work properly. I, for one, do not use PGP for
> every outgoing email, although I would still prefer to use Tor for my
> Thunderbird traffic. I would suggest the proper remedy for this completely
> legitimate issue would be to file a bug ticket with Enigmail.

I agree that Enigmail is the correct place to enact this, but a search
on the subject brings up this forum post:

http://www.mozilla-enigmail.org/forum/viewtopic.php?f=3&t=328

in which the Enigmail developers do not seem very responsive to the
concerns of sensitive information in the subject header. The stated
opinion of several of the developers is that they wish to wait until a
specification for encrypted headers is published by a standards body
before they will do anything. Granted this is in the context of asking
for it to be encrypted instead of blocking it or warning the user, but
something along those lines was suggested and ignored. The final
suggestion was "There is a simple solution for this problem: don't
write anything sensitive in the Subject." rather than an
acknowledgement that this is a possible source of significant user
error.

Of course the forum thread is in the context of some random users
bringing it up, but if it was in the context of something like TorBirdy
and possibly the Tor Browser Bundle things may be different: "We are
considering bundling your software in a major software package but we
have a couple of concerns. Could you work with us on them?"

P.S. Another thread here:
http://www.enigmail.net/forum/viewtopic.php?f=9&t=723

-- 
Shew

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20120901/12f86ac1/attachment.pgp>