Trustedbird: Additional email security for Thunderbird

A collaboration between the French military, BT, and Mozilla has resulted in a version of Thunderbird that has features more suited to military organizations. Trustedbird includes changes to Thunderbird to support additional encryption and message handling options, and some of that code has made its way into the Thunderbird 3 release. The reasons given for working with free software, rather than a proprietary alternative, make it clear that access to the source and the ability to make changes—hallmarks of free software—were key.

There are a number of message handling features that were added into the Trustedbird core, along with some additional features that were implemented as add-ons that will work with either Trustedbird or Thunderbird. The add-ons are for features that others might find useful outside of organizations that require the level of security that Trustedbird provides. Features like Multi-LDAP directory lookup for addresses, MDN Extended for deletion receipt handling, and Mail XForms that allows adding various headers through forms, are all available as add-ons. There is a list of these add-on on the documentation page.

The Thunderbird changes that make up Trustedbird are all based on various RFCs and may well end up in Thunderbird itself some day. Much of the work was based on RFC 2634 (Enhanced Security Services for S/MIME), which includes "triple wrapping", signed receipts, and security labels. In addition, Trustedbird implements Delivery Status Notification (DSN), based on RFC 3461, and SMTP Priorities based on a draft RFC.

For military organizations, it is important to be able to receive signed and encrypted messages that have not been surreptitiously forwarded. Standard encrypted email only signs the body of an email before encrypting it with the recipients public key. A malicious recipient can re-encrypt the mail with a different recipient's key and forward the mail (presumably with some header forgery). The new recipient may be confused into believing the mail was actually sent to them (as the signature will verify for the original sender).

Triple wrapping allows a recipient to detect that the mail has been forwarded by also signing the encrypted message. That additional signing can be done over some additional headers, along with the encrypted body, but that is not required. A proper message will be signed twice by the sender, while a surreptitiously forwarded one requires that the attacker re-encrypt the body (using the new recipient's public key), which will invalidate the outer signature.

Signed receipts are basically what they sound like. A receipt that a message has been received can be signed by the recipient. When a properly signed receipt is received by the sender, they can be sure that the recipient did receive the message—or at least that their Trustedbird client did.

Security labels are headers that can be added to the signed portion of a triple wrapped message and specify various kinds of information about the security policy that applies to the message. Standard labels like "classified" or "top secret" can be applied, and then be enforced based on the recipient's access level. The labels themselves can be customized in an XML file, but it is unclear from the documentation how exactly the security policies are specified and propagated.

The DSN feature has already been incorporated into Thunderbird 3. It allows clients to ask the Mail Transfer Agent (MTA, e.g. Sendmail or Postfix) for a notification on the delivery status of an email. Three kinds of notifications can be requested: success, failure, or delay in delivering the email.

SMTP Priority allows for five levels of priority (NONE, ROUTINE, PRIORITY, IMMEDIATE, and FLASH) to be sent to an MTA in the envelope part of the SMTP conversation. For additional complexity, different priorities can be given for each recipient. MTAs must be changed to support priorities so Trustedbird provides a priority email gateway that works with Postfix using Qpsmtpd.

While most of these are features that may be of little interest to many, it is always nice to see governments taking advantage of the benefits of free software. In addition, some of the features—triple wrapping in particular—may well be of interest to those who regularly use email encryption. The fact that the French military is working with the Thunderbird project to get its code upstream is also rather novel for government-sponsored projects.

It seems likely that Trustedbird will find its way into more agencies and organizations with a need for a higher security level in their email handling; the fact that it's free software will likely save the taxpayers in those places some money—always a good thing. It also shows that free software ideas and ideals have rather wide applicability. It is not just monetary savings; there is something rather comforting in knowing what's in the code that is being used for security purposes.