Possible Thunderbird gotcha


#1

I tried Deltachat to communicate with an Enigmail enabled Thunderbird client to test the encryption.
Unfortunately, whilst this was successful and messages were encrypted / decrypted at each end, when replying from Thunderbird, it used the decrypted text as the subject line of the reply, which obviously remained in plain text when returned to the Deltachat server, ie the content leaked! The body content though was encrypted properly, as it should be. Thus it appeared to the Deltachat user that the channel was secure, which it was, as the lock icon was shown.

Deltachat to deltachat doesn’t suffer this problem as it keeps the email subject line empty.

TLDR anyone sending encrypted messages from Thunderbird must manually remove subject lines from every reply email to ensure previous messages don’t become visible on the email server.


#2

Keep in mind, that spam filter aka spamassassin (that works practically on all decent email servers including big guys) will trigger on empty subject field and add spam score by rule “MISSING_SUBJECT”.
While according to RFC 2822 the subject field is optional, in practice, empty subject field is common behavior for spam/scam emails coming from infected computers and spam robots that is why spamassassin care about this.
Instead of leaving subject field as empty, I advise to put their some random hash string like d1bf8fc6af9166875316587ad697a719


#3

there is the enigmail-option “encrypt subject by default” that moves the content of the subject to the encrypted part in a way compatible to other mail clients, including Delta Chat.

not sure if the option is enabled by default, however.


#4

I didn’t know about that but after looking, can confirm that it’s not enabled by default.