Thunderbird to add built-in support for OpenPGP email encryption standard

Image: Mozilla

Mozilla announced plans this week to add native support for the OpenPGP email encryption standard inside Thunderbird, the organization’s open-source email client.

Support is expected to land in the summer of 2020, Mozilla said in a wiki page created on Monday.

Thunderbird v78 is currently scheduled to be the first Thunderbird version with built-in OpenPGP support. The current Mozilla Thunderbird version is v68.1.1.

What is OpenPGP

OpenPGP is an email encryption standard (IETF RFC 4880) derived from Pretty Good Privacy (PGP), a software application developed in the early 1990s, designed for encrypting emails.

Using OpenPGP with regular email is a very complex process, and involves managing encryption keys, signing, and then encrypting the email’s actual content, usually from a command-line interface.

Across the years, developers have created software to automate and simplify this process, making email encryption possible even for non-technical users. On Thunderbird, the only solution for using OpenPGP encryption has been Enigmail, a Thunderbird add-on.

Thunderbird add-on change

But Enigmail won’t work with upcoming Thunderbird versions. This is because back in December 2017, Mozilla announced plans to update and upgrade Thunderbird’s source code.

These plans, following a similar code upgrade for Firefox, include changing Thunderbird’s add-ons APIs, the ones Enigmail uses to interact with Thunderbird.

The Thunderbird 68.x branch is the last Thunderbird version that will support these APIs — and inherently the Enigmail add-on.

“As a replacement for Enigmail, the Thunderbird team intends to develop new, integrated support for OpenPGP messaging,” Mozilla said yesterday. “We are happy that Patrick Brunschwig, who has been developing and maintaining the Enigmail Add-on for many years, has offered to assist the Thunderbird development team.”

Licensing problems

The process of porting and adapting Enigmail features to the Thunderbird source is a long and winding one. Some key aspects have been detailed on this wiki page.

However, the first problem Mozilla devs will have to solve is with finding a new library to support the OpenPGP standard.

Currently, Enigmail requires users to install third-party software like GnuPG or GPG4Win before installing Enigmail itself.

This will have to change when Enigmail is ported inside Thunderbird. These libraries will need to be added inside Thunderbird itself, something that’s currently impossible.

“Thunderbird is unable to bundle GnuPG software, because of incompatible licenses (MPL version 2.0 vs. GPL version 3+),” Mozilla said.

“Instead of relying on users to obtain and install external software like GnuPG or GPG4Win, we intend to identify and use an alternative, compatible library and distribute it as part of Thunderbird on all supported platforms.”

What Mozilla devs will do remains to be seen, and they might end up creating a new OpenPGP library from scratch — which might take up a lot of Mozilla’s resources but will be a win for the open-source community as a whole.

READ MORE HERE