Security/Security Bugs/EncryptedBugmail: Difference between revisions

Jump to navigation Jump to search

Security/Security Bugs/EncryptedBugmail (view source)

Revision as of 10:15, 14 March 2012

147 bytes added ,  14 March 2012
A couple of clarifications and extra useful bits of data
(A couple of clarifications and extra useful bits of data)
Line 1: Line 1:
Secure Mail will soon by turned on for bugs in the "Security-Sensitive Core Bug" group in Mozilla's [https://bugzilla.mozilla.org Bugzilla]. This bug group includes all reported client security issues that are not web related. Specifically, this is for general platform, Javascript engine, Firefox, and Thunderbird code.
Secure Mail will soon by turned on for bugs in the "Security-Sensitive Core Bug" group in Mozilla's [https://bugzilla.mozilla.org Bugzilla]. This bug group includes all reported client security issues that are not web-related. Specifically, this is for general platform, Javascript engine, Firefox, and Thunderbird code.


This will change the default Bugzilla email notification for bugs in the "Security-Sensitive Core Bug" group to simply sending mail saying that a bug has changed with no details except for a link to the bug. In order to receive the same bug details for security bugs as normal bugs, Bugzilla users will need to install a PGP compatible public key or an S/MIME key in Bugzilla.
This will change the default Bugzilla email notification for bugs in the "Security-Sensitive Core Bug" group to simply say that a bug has changed, giving no details except for a link to the bug. In order to receive the same bug details for security bugs as normal bugs, Bugzilla users will need to install a PGP-compatible public key or an S/MIME key in Bugzilla.


For members of the "Security-Sensitive Core Bug" group, you will _not_ be able to reset your password through email without uploading an encryption key. Password resets will only be available by contacting bugzilla-admin@mozilla.org. This is to keep password reset urls for sensitive accounts from being sent as a cleartext.
For members of the "Security-Sensitive Core Bug" group, you will <u>not</u> be able to reset your password through email without uploading an encryption key. Password resets will only be available by contacting bugzilla-admin@mozilla.org. This is to keep password reset URLs for sensitive accounts from being sent as a cleartext.


There is basic information on Secure Mail [https://bugzilla.mozilla.org/page.cgi?id=securemail/help.html available] on Bugzilla that explains some of the functionality.
There is basic information on Secure Mail [https://bugzilla.mozilla.org/page.cgi?id=securemail/help.html available] on Bugzilla that explains some of the functionality.
Line 13: Line 13:
There has been concern for some time that email containing security problems that can affect hundreds of millions of people are being sent to developers and other interested parties as clear text. This means that there is a risk of interception as the email is sent across the Internet or if mail is stored offline on a local machine with the mail client. By switching to encrypted email for security bugs, we lessen the risk of accidental exposure of security issues.  
There has been concern for some time that email containing security problems that can affect hundreds of millions of people are being sent to developers and other interested parties as clear text. This means that there is a risk of interception as the email is sent across the Internet or if mail is stored offline on a local machine with the mail client. By switching to encrypted email for security bugs, we lessen the risk of accidental exposure of security issues.  


This change does make it more difficult to read bug mail for security issues in web hosted mail services but there is always the option of not setting up secure mail for an account and simply going to Bugzilla to view changes in security bugs.
This change does make it more difficult to read bug mail for security issues in web-hosted mail services but there is always the option of not setting up secure mail for an account and simply going to Bugzilla to view changes in security bugs.


This change was piloted by the former Infrasec team at Mozilla, which focused on security issues in Web sites and infrastructure, and it was found to work well.
This change was piloted by the former Infrasec team at Mozilla, which focused on security issues in Web sites and infrastructure, and it was found to work well.
Line 25: Line 25:
If you do not upload an encryption key and there is an update to a bug in a secure group, you will receive a notification that the bug has changed when it is updated but no details of the change. In order to view the details, you will need to visit the provided link in the e-mail to see the bug on Bugzilla.
If you do not upload an encryption key and there is an update to a bug in a secure group, you will receive a notification that the bug has changed when it is updated but no details of the change. In order to view the details, you will need to visit the provided link in the e-mail to see the bug on Bugzilla.


Additionally, without uploading a key, you will not be able to reset your Bugzilla password over e-mail since the mail cannot be encrypted. You will require the assistance of an administrator (bugzilla-admin@mozilla.org) for password resets.
Additionally, without uploading a key, you will not be able to reset your Bugzilla password over e-mail since the mail cannot be encrypted. You will require the assistance of an administrator (bugzilla-admin@mozilla.org) for password resets. (Note: you can still <i>change</i> your password; you just can't retrieve it via URL-to-email if you've forgotten it.)


Here is a sample email you would receive if you have '''not''' uploaded an encryption key:
Here is a sample email you would receive if you have '''not''' uploaded an encryption key:
Line 65: Line 65:
=== 6. Where can I get more information on setting this up for my mail client? ===
=== 6. Where can I get more information on setting this up for my mail client? ===


If you are using Thunderbird, you can run [http://enigmail.mozdev.org/home/index.php.html Enigmail], a Thunderbird extension, to read GPG encrypted e-mail. Basic setup instructions are [http://enigmail.mozdev.org/documentation/basic.php.html here] for it.
If you are using Thunderbird, S/MIME is supported out of the box. You can run [http://enigmail.mozdev.org/home/index.php.html Enigmail], a Thunderbird extension, to read GPG encrypted e-mail. Basic setup instructions are [http://enigmail.mozdev.org/documentation/basic.php.html here] for it.


If you are using OS X's Mail.app, you can use [http://www.gpgtools.org/gpgmail/index.html GPGMail], a GPG compatible addon.
If you are using OS X's Mail.app, you can use [http://www.gpgtools.org/gpgmail/index.html GPGMail], a GPG-compatible addon.


Ars Technica has [http://arstechnica.com/apple/guides/2011/10/secure-your-e-mail-under-mac-os-x-and-ios-5-with-smime.ars published an article] on adding S/MIME certificates to Mail.app and iOS devices (and there is another article [http://blog.riobard.com/2010/05/18/sign-encrypt-email here] as well.
Ars Technica has [http://arstechnica.com/apple/guides/2011/10/secure-your-e-mail-under-mac-os-x-and-ios-5-with-smime.ars published an article] on adding S/MIME certificates to Mail.app and iOS devices (and there is another article [http://blog.riobard.com/2010/05/18/sign-encrypt-email here] as well.


LuxSci FYI has an [http://luxsci.com/blog/installing-smime-and-pgp-encryption-certificates-into-major-email-clients.html article] on configuring Outlook and other email clients to use S/MIME and GPG as well.
LuxSci FYI has an [http://luxsci.com/blog/installing-smime-and-pgp-encryption-certificates-into-major-email-clients.html article] on configuring Outlook and other email clients to use S/MIME and GPG as well.
Gerv
Account confirmers, Anti-spam team, Confirmed users, Bureaucrats and Sysops emeriti
4,925

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/407481"

Navigation menu