Thunderbird 78, Enigmail and Secure Emails

 I migrated to Thunderbird after Microsoft desupported Outlook Express around the mid-2000's. Dealing with large email folders in Windows Mail tested my patience. I also didn't want to upgrade to licensed Outlook. So Thunderbird has been my primary desktop email client during the life of this blog, and it's no accident that multiple posts have touched on Thunderbird.

This week I upgraded to Thunderbird 78; upgrades are always risky since some of your add-ons may not be compatible with the new release. So, for example, a plug-in I was using to access at least a half dozen Google calendars isn't currently available. Of course, I can easily check Google Calendar on my desktop or Android, but it's convenient in my email client if I see, say, a grandniece is celebrating her birthday.

One thing I've looked at doing is improving my email security through PKI technology. Basically there are public/private key pairs that you can use to encrypt and/or establish nonrepudiation of an email source. For example, I can use your public key to encrypt an email so only you can view its content, e.g., by providing a correct passcode/PIN. I can also apply my private key to the email which you could use my public key to verify that I sent said email. (For a related discussion, see here.)

Government (especially military) personnel often use smart tokens/smartcards known as CAC's. (I've discussed CAC's in recent posts.) Basically there are PKI certificates which are paired with your passcode/PIN to work with secure emails, network access and/or endpoint devices, etc.,It's a form of multi-factor authentication: something you have (a token), something you know (the passcode).

In legacy Thunderbird one add-on, Enigmail, has provided an implementation of PKI through integration with OpenPGP (pretty good privacy). I muddled through its implementation. All of this is freeware, no out-of-pocket costs including limited-term certificates, Now I have a large number of email accounts for various purposes, but there are 3 external providers I primarily use (an arbitrary order: hormail/outlook.com, gmail, and yahoo). And so I configured key-pairs for each of the accounts, and tested the functionality among the accounts.

The biggest problem I have with the technology is almost no personal contact or other (business) emails deploy PKI. I use it so infrequently (mostly to check functionality after various upgrades), I'll sometimes have to check one of my password stores to recall my different passphrases for the accounts.

One of the key new features of Thunderbird 78 is native support for OpenPGP, which basically means Enigmail is redundant.  It's fairly straightforward to create a new keypair through OpenPGP Kleopatra, but I haven't come across any tutorials on implementing them in Thunderbird. As time permits, I'll try to add a fourth keypair and perhaps document it in a future post.

One nice thing in Thunderbird for past Enigmail users is they provide a migration option I believe in the options menu. At least the initial steps of the migration were fairly obvious; in my case, in the order yahoo, gmail and outlook.com. What completely threw me off was the fourth prompt, which prompted me for the password for a long randomized alphanumeric string. What the hell? Is it prompting me for some password I forgot to capture in configuring Enigmail a while back?

I noticed there \were 3 such prompts\, so the obvious inference is I had to reenter the same passwords. In what order? I guessed in the earlier migration sequence. Good guess. I'm not sure why the interface was designed that way, but it wasn't obvious.

It's fairly easy to toggle on the signature and/or encryption options (I think through a security menu in the compose window), not to mention adding your public key to the email. And when I opened the email at the target I noticed a nice padlock symbol in the message window.

The New Blogger Interface: Some First Impressions

I don't like being forced into an upgrade, especially where it violates expectations of past experience, makes things less convenient, etc. Back in the 1980's, Coca-Cola decided to change the formula of its classic soft drink to a sweeter version and would not allow the customers to choose their preferred option. Consumers rebelled, hoarding supplies of the legacy formula. To its credit, the company quickly relented, relabeling and producing "Coca Cola Classic". New Coke never did catch on and was eventually  dropped; decades later, the company dropped "classic" on packaging of its legacy formula.

Since starting work on this post, I've discussed some of the issues I have with the new Blogger interface in a segment of my signature political blog here. Ironically, one of my chief complaints, which has to do with Blogger's New Coke approach, doesn't apply to this blog; I do have a link for reverting back to Blogger Classic, although only temporarily, for this blog. I don't know why the older blog doesn't have the link. Many of my issues deal with toggling the compose and html mode. In my daily political "miscellany" post, I'll often include a number of embedded objects, primarily video clips. So typically I'll copy and  paste bits of html code from other sources into html mode. Now the classic mode of html did a beautiful job of maintaining separation of html code and preserving text lines between modes, so, for example, I could effectively insert a couple of lines between a video and the next (existing) section header while inside html mode and those blank lines would carry over to compose mode. There were various functional reasons for inserting blank lines in html mode, including it is an easier way to avoid carryover formatting while in compose mode, e.g., from headline format to normal text format. I could more easily adjust the post format without fiddling with formats in compose mode.

It also makes it easier to find and replace html code. An example is that I've sometimes thought I had copied a video's embedded code into clipboard for insertion (replacing the prior video's code) but the copy failed, and I ended up duplicating the video in the post, which I discovered after publishing the post. Under the classic html mode, it was fairly easy to locate the duplicated video code and replace it for updating the post.

Under the new html format, html code becomes more spaghetti-like in a collapsed format and you need to parse the html ball to make your changes. Spacing in draft mode doesn't map to the compose mode. For instance, my miscellany posts usually include a quote for the day and a daily older music video "interlude" at the bottom. But if the first thing I do after adding a quote is to add my music video of the day, I can separate the quote and video segments by 50 lines in html mode, but if I flip back to display mode, the music video section appears immediately after quote and I have to fuss with compose mode settings to insert intervening post segments. It adds to the busy work of writing and publishing a mixed-mode post. (It isn't as much of an issue in drafting a primarily text post like this one.)

One related aspect I didn't discuss earlier is that Blogger Classic would also provide a way of displaying an embedded video (especially Youtube clips). Now you simply see a gray blob. The (earlier) WYSIWYG compose display didn't work for all but most of the clips I would embed. There is a preview post mode (under both versions) which works to the same desired end. Occasionally I'll run into a clip where I can't see if it works until the post is actually posted. But obviously it was easier for me to verify the clip in a WYSIWYG compose view than to preview or publish the post.

There are other minor points, probably idiosyncratic to my blogging activity. One is the fact that there used to be a checkbox in the blog stats page where you could set a blocking cookie so your own pageviews wouldn't inflate statistics. (Technically, I would prefer that to be true by default without having to constantly check if the cookie is still there.) I'll often tweak a published post for various issues like typos or wording, and maybe up to a half-dozen edits (rare, but it happens) would significantly bias my reader stats. (Some of my blogs have 100 or more pageview posts, but say I probably average less than a dozen on my daily blog;) I have an informal preference to see at least double-digits, but "real" double-digits. I have probably dozens that have capped at 9, but I don't want to cheat just by viewing each post in question. So the point is, if there is a block cookie option in the new Blogger I haven't found it yet. I recall recently I had a delayed browser launch of my published post, and the browser eventually responded with 3 or 4 windows; those all factored into the post statistics.

Finally, there are a number of feature inconsistencies, not that difficult but annoying and not necessarily obvious. An example to make the point: I'll often embed a political cartoon in my miscellany daily post and use the caption function to attribute the artist and the source. I normally had to resize the embedded image under the old format and actually like the initial size under new functionality; if I had to tweak the size, the controls are obvious, while the old controls were more of a toggle switch approach. However, somehow I didn't recognize the caption option at first and ended up manually inserting a caption line in a line following the image the first few times I inserted images and eventually discovered the caption option by playing around with the interface. Maybe the interface was more natural to other people.

It Never Seems To Stop

Technical issues. Hardware, software upgrades, misleading technical information, etc. For example, A USB smartcard reader stops working. After some trial and error, I get it working in another USB port. Was it an issue with the original port, with other connected USB devices, say, an external disk drive, affecting it, a problem with the reader itself, some recent updates, e.g., to device drivers?

As I write, my primary PC is making a second attempt at the latest Windows 10 feature update. It had successfully completed on my newer PC, although it seemed to take forever. I knew something had happened when I took a short nap and woke up to find my PC ready for logon and it did not launch into some sort of  "preparing your desktop" step. I quickly confirmed the update had failed by looking at the Update history. No clue as to what happened, but at least the system had reverted to a usable state. [It has since failed again while I composed this post, at about the 58% completion point. I tried running the Updates troubleshooter to no result. This is not the first time I've run into multiple Update failures.] My older devices are "not yet ready" for the update. I know in the past they eventually get usable updates, but I find it annoying to having different versions across my devices. But even launching Setup/Windows Update can be an issue at times.

Then there's Adobe Flash Player. There are a number of issues here, including its use with certain mandating training software I use. A big upcoming issue is the product's end of life at the end of the year, with all major browsers announcing related end of support. There have been some chronic security lag patching, never mind browsers handle Flash Player support differently, e.g., Chrome vs. Firefox. One of the things I found that using the software through Chrome required manually changing the browser window to enable Flash Player; apparently there's no way to whitelist URLs to allow Flash Player. I discovered the Player issue when I got to a simulation exercise in the courseware and it just wouldn't advance--it was just spinning. I had contacted technical support; he didn't seem to run into the issue using my account--and then at some point he mentioned using Firefox. I recall in the past when using cable TV scheduling with Chrome. I would get some "right-click to enable Adobe" thing but at some point it changed to clicking at the start of the address prompt. However, in the case of the training software, I never got a warning to the effect there was a Flash Player issue.

And then I got to this one course where Flash Player was allowed, but I got a warning the courseware required Flash Player to display the screen. Now what? I remember the support guy had initially tested on Firefox. So I launched my copy of Firefox, only to discover Flash Player wasn't installed, and I eventually realized I had to download the player from Adobe. I remember wondering how to verify the software was installed in Firefox. I eventually launched the courseware and saw something to the effect of right-click to use Flash Player.

I know when I wrote my recent posts on issues with government smartcard CAC's I saw an emphasis in other sources on running the 32-bit version of Internet Explorer in order to use ActiveX functionality in order to use PKI for secure email (digital signature and encryption). If you're running a 64-bit OS, like many of my own PC's have, you should have both 64- and 32-bit versions. Long story short, I started launching the 32-bit iexplore. For other reasons, I started looking at Process Explorer from Sysinternals to look at the iexplore process(es) (right-click/Properties to see the executable path name). That's when I discovered 64-bit IE was still being launched concurrently; more to the point, even if I launched 64-bit IE, I could still use secure email functionality; I think I read somewhere that IE-64 will open a frame to support 32-bit requirements when needed.

On a side note, I have discovered that using a VPN can have some unpleasant side effects. For example, I  found sending an email using Gmail was failing but if I momentarily disconnected the VPN, I could connect to the SMTP server. I've also found at least a dozen secure websites balking they don't recognize my IP. From a security standpoint, I appreciate the checks, but it is a usability tradeoff and somewhat defeats the purpose of using a VPN.

Troubleshooting Secure Email Issues With a CAC

I was tempted to simply add a second addendum to my recent CAC post, but I wanted to expand on relevant comments.

To summarize, a (government) CAC smartcard chip contains PKI infrastructure, including private certificates and associated private keys. If I use third-party software, like ActivClient, I can see 3 certificates (identity, signature, and encryption). The identity certificate is used to authenticate, say, to a government website. The email signature is used to provide non-repudiation of the message source  and encryption ensures confidentiality. In practice, the private infrastructure is protected by the CAC PIN. So, for example, in accessing a secure government website, including email, I'll usually get a pop-up to select the (identity) certificate; there's a second step (on my home system) where it's testing the card reader and reading the CAC;  on an intermittent basis I'll sometimes get a garbage popup saying something like it can't use the certificates on the CAC. What this really means in practice is I need to reseat the CAC--remove the card from the CAC reader and reinsert it. (IMPORTANT practical note: if I'm using Internet Explorer 32-bits,  I need to go to Internet Options, Content Panel and clear the SSL state before I can reread the CAC.) Once I get confirmation that the device is ready and click OK, I should be prompted for my CAC PIN. If successful, I'll usually land at a USG warning banner page (in IE, I'll sometimes have to refresh the webpage). Similar PIN entries occur if I sign and/or encrypt outgoing emails for security.

Now I ran into some weird issues soon after installing/testing S/MIME for use in IE-32 as described in the last message (needed for secure email functionality) I recall being able to pull up a digitally signed and/or encrypted email from another person and sending my own signed/encrypted email. A few days later, I tried pulling up another email from the same person, and the entire message body was blank. What the devil? Was he encrypting from an obsolete public certificate? A separate, weird issue: all of a sudden I couldn't send even regular emails from Outlook Web  Access; clicking on the send button didn't do anything.

I really didn't want to contact the government helpdesk on the issues; I did have a contact with the local group servicing the laptop, and he mentioned he had also run into a blank email issue with OWA but not when using the Outlook client on his laptop (not available to me).

I did a Google search on my issues and found this Microsoft webpage where the user's experience exactly matched mine. When I got to Jeremy Nickels' detailed response  and saw 231 readers had endorsed it, I was convinced I had stumbled across a solution for apparently a common problem. The key steps are up to step 10 and involve a number of tweaks to IE settings, and yes, they resolved my functionality issues. I didn't check militarycac.com; I think when I tested that first signed/encrypted email after installing S/MIME via a related note, I assumed no other tweaks were necessary.

Some Notes About Using CAC's on a Home PC

Common Access Cards (CAC's) are government ID smartcards. Basically they come with a chip on which you have some PKI certificates installed (used for network authentication, digital signing and email encryption/decryption in conjunction with a PIN) and is often used as a way to access certain government sites/ or buildings and certain government websites; government employees and contractors may also need additional proximity cards and/or smartcards for access to certain restricted buildings or areas at a government site. (This is not privileged information; in fact, you'll find a Wikipedia page on CAC's, and an Internet search will reveal a number of websites which discuss practical aspects of using CAC's, resolving issues, etc., not requiring access to government networks, including militarycac.com, which I'll briefly describe as a key resource below.)

I've needed CAC's for multiple gigs over the past decade. I say plural because I'm not a civilian (federal employee) and typically they are tied to contract expiration's and also must be surrendered if you quit or otherwise leave your position (need to have basis). It can be painful; for example, in a gig I had from 2017 to 2019, contract option years were figured into CAC expiration, and I had to get mine renewed; there were technical issues because the new CAC certificates were incompatible with old secure emails.

The COVID-19 crisis has backlogged local CAC processing, and so I had to go to a government facility in downtown Baltimore to get my CAC. I had been issued a government laptop off-site; basically the way the process works, my CAC is used to access the notebook and it first needs to be authenticated by connecting securely to the government network, and then authentication is cached to the PC, enabling logon (including without network authentication). Long story short, there's a known technical issue with certain newer CAC certificates from one of a couple of certificate authorities, and the network balked at my CAC because of that problem.

The government laptop comes with a card reader, but it's not usable because I can't logon without the cached CAC authentication (you don't get usable feedback; it simply states it's unable to validate my credentials, not that I entered an invalid PIN). I made an appointment at a desktop support group at the local facility, and the local technician identified the CA issue mentioned earlier.

This puts me in a bind because I needed to access my government email to respond to related service issues, also to do certain required training/certificates to get my own (vs. a visitor) network account, and whereas I didn't have to connect to the government network to access at least some alternatives, the websites typically require CAC authentication. So I had to acquire a USB smartcard reader; you can buy one for about $15 from a variety of vendors at Amazon.com. In addition, in my experience, I also had to buy a licensed copy of ActivClient for about $35 (see militarycac.com for the vendor). (Some sources or experts will tell you that you don't need the software with Windows 10, but in my experience, while Windows 10 could see the smartcard reader, it looked like an empty/inaccessible disk drive.) I also downloaded and installed/ran two executables from militarycac.com: InstallRoot...msi and HomeUserCertTool..zip.

The device "documentation" sucked. Let me quote:

"Red Light = Functional" (will change to blue when inserting CAC card)

Actually, the device comes with two lights, a power light, which is blue, and a second red light which blinks/doesn't change color with CAC insertion.

It also states "For 3rd party software, certificate, see militarycac.com". Presumably they are referring to ActivClient (see above). Once you have ActivClient installed, you should be able to see/open the CAC and see the certificate.

They also provide a URL to download the device driver. No such driver available, but apparently the Microsoft device driver is functional. As I said, the documentation sucks.

Finally, many government websites certify on Internet Explorer for support purposes. I found one training website worked well with Chrome. Some browsers, including Chrome, don't like certificates of other websites and won't let you to the URL. Ironically, I found webmail seems to work well with a Chrome cousin, Brave. [See addendum below.] Be careful with URL's; for example. one site required 'www.' at the beginning of the domain name, and another seemed to require '/owa' at the end. In Internet Explorer you may need to clear (content) state to reread your CAC and/or clear certificates via another security tab in Internet options. Sometimes you will get a failed validation, which can be resolved by removing and reinserting your card and trying to logon by CAC again. In a few cases you may need to refresh your browser to see your USG banner warning page.

Your mileage may vary; I don't know/think all or most will have two lights, one blue or one red. (I still can't forget my Commodore 64 floppy drive documentation back in grad school warned something like "Never insert/remove a floppy with the green light on!" Well, the green light was a power light! It also warned, "Don't power down the drive with a floppy in it!" Okay, how the hell are you supposed to use a program disk? I decided they really meant to say when you were writing to a data disk (say, an amber light blinking), but I really didn't want to lose my $35 program floppy.) Hopefully this guidance helps others; militarycac.com is very good but lacks the context I've provided here.

[Important addendum: 6/2/20.] In using Brave I was referring to regular emails, i.e., not using secured email functionality like signed/encrypted emails. In Windows, this is enabled by S/MIME functionality accessible through and/or installed with 32-bit Internet Explorer (\Program Files (x86)\Internet Explorer\iexplore.exe) in conjunction with ActiveX controls. In my system, S/MIME was not installed by default, but a link to the install was available by drilling through the Options menu in Outlook Web App. Note I sometimes have to refresh IE after signing into OWA with my CAC ID/PIN to get the USG banner warning, a prerequisite to opening the mail app.

In Troubleshooting, Question Your Assumptions

I will often use a large number of Internet browsers for a variety of reasons. For example, in my work as an Oracle DBA, I've generally found that Firefox worked better with Oracle web servers. Some browsers will block URLs they consider unsafe, even in a trusted intranet. My current client promotes Internet Explorer as their supported browser. Sometimes add-on's/extensions are exclusive to a particular browser. Others provide better privacy guards, have integrated support for video downloads, etc.

I've generally liked and use Google products; I was one of the earliest gmail users, I've got a Chromecast and Google Hub, I often embed multiple Youtube videos in my daily political posts, and I use Blogger for all my blogs. I was also an early adopter of Google Chrome. As familiar readers know, I have five PC's (long story: 3 of them were brought back from the dead)  plus a Chromebook. I use them for different purposes. But one of the nice features (also implemented by other browsers) is Chrome's Google Sync feature, which includes, but is not limited to bookmarks. I've gathered and organized literally thousands of bookmarks over the years. I like being able to use any of my devices and having and being able to tweak the same bookmarks everywhere. I routinely maintain backups on multiple external hard drives, I've got cloud backups, and I could quickly switch to a backup PC in the event my workhorse PC becomes disabled. Oh, don't get me wrong; I would still need to reinstall certain apps, like my licensed Microsoft Office suite, but I also have flash drives with portable apps (including free open-source office suites, not to mention there's Google Documents and other apps via my Internet browser).

So I had started a new position and quickly gathered a number of links, e.g., to a timesheet system, web-based work email and other applications, an HR URL for paperwork, etc., quickly organized in a company folder. The other day I had switched to one of my backup computers and was working on a blog post when I noticed incidentally I didn't see my new company folder in its expected place. I double-checked: Google Sync was on in Chrome on both PC's. I double-checked setups on my backup PC, thinking maybe it wasn't syncing with the cloud. Nope.

What was wrong? The reader may guess the obvious correct answer, i.e., my workhorse PC wasn't syncing my local bookmarks to the cloud, that the bookmarks sync option had been toggled off. I had initially rejected that notion because I didn't remember going into sync options to toggle off any default option, never mind knowingly turning off a desired option. Well, not only was the bookmarks option toggled off, but all the others as well! So I had the paradox of Google Sync was on but not syncing anything to the cloud since all the options were turned off!

Obviously when I turned everything back on, my bookmarks migrated to my backup desktop, still leaving the mystery of how my sync options were in an interim off status. I did have a Chrome update issue a few weeks back and did a deinstall/reinstall of the browser as per guidance. I'm not sure if my enigmatic situation is an artifact of the reinstall process, but I'm making a mental check to reexamine Google Sync options routinely in the future, including any browser updates or reinstalls.

On a separate Google-related note,  I remembered the Blogger Dashboard for a list of one's blogs and had a stored bookmark to it (see here for a mockup of what I'm describing). So a few weeks back I clicked on the URL--and no dashboard. Now I had noticed on my individual blog all-posts page there was a drop-down menu of my blogs (from the current/working blob ID), including an option to create a new blog. So it's fairly easy to switch among blogs; effectively the dashboard has been integrated into individual blog pages.

I think maybe this 11/22/2016 post explains it:

To kick things off, we’ve taken a crack at simplifying Blogger’s dashboard so that it’s easier for you to get right to the tools you need. Now, whenever you open Blogger, you’ll be taken right to your blog with the most recent post, putting you one click or tap closer to drafting something new

Um, yeah, except I had already bookmarked the posts page for my signature political blog. So I wasn't going to the dashboard to start a new post. I was using the dashboard for a more consolidated view of my blogs. Now I could easily set up an html page to mimic functionality.of the old dashboard; I just wish that Blogger had given us an option to retain the old dashboard.

Tiles and Integration with Google Hub

I love Google products and services. But there are some usability issues that drive me crazy. One recent issue which comes to mind is the Google Nest Thermostat which I described in a recent post. I've unsuccessfully tried to get apartment management to replace what I think is a defective unit (the actual temperature deviates, which I verified from a cheap handheld thermostat I bought from Walmart). Reseeding the device occasionally corrects the temperature but it'll climb (above the real temperature). So I have to do offsets. For example, if I set the heat for 68, and I wake up to 64, and Nest shows 72, I'll reset the heat target to (say) 76. I'll make similar adjustments periodically while I'm in the apartment. It gets particularly annoying because it'll reset your heat target in "energy saving" mode. (I routinely get  utility reports showing my apartment as the most efficient among neighbors, obviously unrelated to Nest.)

Sometime back I bought some Tiles. These are great for relocating items. Now at the risk of oversimplification, there are two types of Tiles, a flat kind (Slim) that you can insert into a wallet and a thicker, small plastic device with a keychain hole (Mate), which sort of reminds me of an iPod Shuffle. I originally bought 2 four-packs of the latter, one for my Mom (who didn't want it, found it insulting). These come with replaceable batteries (which you can buy in multi-unit packs for about $1 each). These need to be set up/registered with a cellphone app and an account with thetileapp.com.

So the Tiles have basically have two-way functionality. (Note the devices have ranges, depending on model from 150-400 feet.) Through the cellphone app, you can click to activate a noise from the target, say, my keys or wallet. And assuming your cellphone has battery power, the Tile app loaded and bluetooth on, you should be able to locate your cellphone from the tile by double-pressing the tile.

I didn't even realize it but my batteries had expired when I tried to use the tiles for the first time in months. I finally shipped my Mom's set and was going to brief my brothers on setup. For the most part, functionality works as expected in testing (e.g., for my wallet or keys). Occasionally it fails for unspecified reasons.

At some point I became aware I should be able to locate my Tiles through my Google Hub after setup, e.g., "Hey Google: ring my keys." I used documentation from the Tile App and Google, but I couldn't get functionality to work properly, and tech support from Google and the Tile App were ineffective (the latter was particularly obnoxious pasting the same setup 3 times, which had been done before my chat session). Somehow the Google Hub didn't think I had turned on the private results option through Google Home. Long story short, I found the Google Hub was linked to two of my gmail accounts. I delinked the less frequently used account, and that seemed to resolve my functionality issues.