Opened 3 years ago

Last modified 12 days ago

#13607 new enhancement

TorBirdy should have an option to distrust all certificate authorities

Reported by: sajolida Owned by: ioerror
Priority: Medium Milestone:
Component: Applications/TorBirdy Version:
Severity: Normal Keywords:
Cc: sajolida@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


The certificate authorities (CA) mechanism for validating TLS has proven to be rotten to the core in several occasions. While browsing the web, not relying on it is quite hard as you might be presented a different certificate on each webpage that you are visiting. But in the case of email, you basically always use the same and only one: the certificate from your email provider. So trusting all those CAs by default and allowing so many possible man-in-the-middle attacks is not really needed for usability.

TorBirdy could have an option to distrust all CA authorities by default and only rely on custom certificates (exceptions).

Users could, in the worse case, do TOFU authentication (trust on first use) and be guided on how to do so. At best their provider can give them better ways of authenticating their certificates. Riseup is proposing this on their website for example:

Child Tickets

Change History (3)

comment:1 Changed 3 years ago by sukhbir

While I don't disagree with your general idea, disabling all certificates and then expecting users to understand TOFU and guiding them do it is likely not a good idea. Remember that the intended audience is users who might not even know what a certificate is (or even care). Asking them to add exception for their mail provider is probably not going to work out well.

comment:2 Changed 3 years ago by sajolida

Note that I'm not suggesting to make this the default option, but have it opt-in. You already have other options like this I think.

Regarding TOFU and usability. I can think of similar processes in other software that work pretty well:

  • In OTR you do TOFU without even noticing it. Then you have option to further identify people if you wish (and you are recommended to do so).
  • In Claws Mail in Tails, there's currently no CA verification and people have to do TOFU and are prompt with the fingerprint of the server they connect to and are proposed to trust it for future uses. I know that Claws is not very fancy and has many UX issues, but I don't remember people complaining about this particular step.

So TOFU can work without having to lead people through scary warnings and exceptions like Firefox does. Because the certificate scenario in the case of email is very different as I explained earlier. It resembles more the scenario of OTR than the scenario of browsing a random HTTPS website because it's a long-term usage with a single entity.

On top of such simplistic TOFU mechanism, in the case of Torbirdy it would actually be possible to do a first sanity check of the certificate against its CA before proposing the TOFU. Right now you are doing "trust on each use" by verifying the same certificate from scratch each time through any available CA. I think that trusting it only once would definitely be better.

So we could reuse that information in the UX as well, and say something like: "Hey, this certificate is new. Do you want to store it and trust it permanently from now on? Note that we managed to verify it successfully against its CA NameOfTheCA so everything looks good."

comment:3 Changed 12 days ago by teor

Severity: Normal

Set all open tickets without a severity to "Normal"

Note: See TracTickets for help on using tickets.