Security/Security Bugs/EncryptedBugmail

From MozillaWiki
Jump to: navigation, search

Secure Mail will soon by turned on for bugs in the "Security-Sensitive Core Bug" group in Mozilla's Bugzilla. This bug group includes all reported client security issues that are not web-related. Specifically, this is for general platform, JavaScript engine, Firefox, and Thunderbird code.

This will change the default Bugzilla email notification for bugs in the "Security-Sensitive Core Bug" group to simply say that a bug has changed, giving no details except for a link to the bug. In order to receive the same bug details for security bugs as normal bugs, Bugzilla users will need to install a PGP-compatible public key or an S/MIME key in Bugzilla.

For members of the "Security-Sensitive Core Bug" group, you will not be able to reset your password through email without uploading an encryption key. Password resets will only be available by contacting bugzilla-admin@mozilla.org. This is to keep password reset URLs for sensitive accounts from being sent as a cleartext.

There is basic information on Secure Mail available on Bugzilla that explains some of the functionality.

Frequently Asked Questions (FAQ)

1. Why are we making this change?

There has been concern for some time that email containing security problems that can affect hundreds of millions of people are being sent to developers and other interested parties as clear text. This means that there is a risk of interception as the email is sent across the Internet or if mail is stored offline on a local machine with the mail client. By switching to encrypted email for security bugs, we lessen the risk of accidental exposure of security issues.

This change does make it more difficult to read bug mail for security issues in web-hosted mail services but there is always the option of not setting up secure mail for an account and simply going to Bugzilla to view changes in security bugs.

This change was piloted by the former Infrasec team at Mozilla, which focused on security issues in Web sites and infrastructure, and it was found to work well.

2. How can I upload a Public Key?

Load your Secure Mail preferences tab for Bugzilla. This tab has a textarea where you can enter your PGP/GPG public key or S/MIME certificate.

3. What if I take no action?

If you do not upload an encryption key and there is an update to a bug in a secure group, you will receive a notification that the bug has changed when it is updated but no details of the change. In order to view the details, you will need to visit the provided link in the e-mail to see the bug on Bugzilla.

Additionally, without uploading a key, you will not be able to reset your Bugzilla password over e-mail since the mail cannot be encrypted. You will require the assistance of an administrator (bugzilla-admin@mozilla.org) for password resets. (Note: you can still change your password; you just can't retrieve it via URL-to-email if you've forgotten it.)

Here is a sample email you would receive if you have not uploaded an encryption key:

 Subject: [Bug 1234] (Secure bug updated)
 Date:	Thu, 01 Mar 2012 21:21:53 +0000
 From:	bugzilla-daemon@mozilla.org
 To:	you@mozilla.com
 This email would have contained sensitive information, and you have not set 
 a PGP/GPG key or SMIME certificate in the "Secure Mail" section of your user 
 preferences. 
 In order to receive the full text of similar mails in the future, please 
 go to: 
 https://bugzilla.mozilla.org/userprefs.cgi?tab=securemail 
 and provide a key or certificate.
 You can see this bug's current state at: 
 https://bugzilla.mozilla.org/show_bug.cgi?id=1234

4. I don't want to see these emails anymore, how do I turn them off?

You can change your preferences for when you wish Bugzilla to send you mail in your Email Preferences tab for your Bugzilla preferences. This contains a variety of settings for when Bugzilla should send you email and for the components you are watching.

5. How do I make a PGP/GPG public key or get an S/MIME certificate?

PGP/GPG keys have the advantage of being completely free to create but the disadvantage of being somewhat cumbersome to set up and use in comparison to S/MIME.

You can read a Quickstart for GPG or the one written by the Enigmail team. (There is an older Linux-oriented article as well.)

PGP/GPG keys uploaded to Bugzilla must be ASCII-armoured (i.e. text, with the first line containing BEGIN PGP PUBLIC KEY) in order to work.

You can obtain an S/MIME certificate from a number of providers. You can get a free one from StartCom or pay Verisign for one. Once you have it, export it from your browser as a .p12 file and import it into your mail client. S/MIME Keys must be in PEM format - i.e. Base64-encoded text, with the first line containing BEGIN CERTIFICATE.

In order to upload it to Bugzilla, you will need to convert the certificate to the PEM format.

If you have OpenSSL installed and want to use the command line, you can extract your client certificate from the .p12 file that you have exported:

 openssl pkcs12 -in certificate.p12 -out certificate.pem -nokeys -clcerts

Another approach is to use Certificate Manager. To open it in Firefox or Thunderbird, use menu command Edit, Preferences, Advanced, Encryption (or Certificates in Thunderbird), View certificates.

Now click the "My Certificates" tab, find your own certificate, click "View", click the "Details" tab, click "Export". Save using the suggested default file format (X.509 Certificate PEM). The file will contain a single certificate, paste the file contents into the Bugzilla form.

6. Where can I get more information on setting this up for my mail client?

If you are using Thunderbird, S/MIME is supported out of the box. You can run Enigmail, a Thunderbird extension, to read GPG encrypted e-mail. Basic setup instructions are here for it.

If you are using OS X's Mail.app, you can use GPGMail, a GPG-compatible addon.

Ars Technica has published an article on adding S/MIME certificates to Mail.app and iOS devices (and there is another article here as well.

LuxSci FYI has an article on configuring Outlook and other email clients to use S/MIME and GPG as well.