Open Source Crypto is Hard: Part 7846

Last week I wrote about the importance of Thunderbird as a platform for encrypted communications. That produced some comments from Gervase Markham, who works for Mozilla. Here's one particularly interesting suggestion he made:

I think you are unlikely to succeed [in getting Mozilla to invest more in Thunderbird]. So can I suggest alternative ways of reaching your goal? The Firefox OS mail app is an email client which is supported by Mozilla and, because it's a web app written in HTML and JS, could be installed on Android, shipped on the desktop, or even turned into a webmail client. This codebase is much more likely to produce a vibrant Mozilla-supported email client than the Thunderbird one. (And I say this as a long-time Thunderbird user.) It's not ready to replace Thunderbird yet, but I think you are far better off pushing in that direction than trying to get decisions about Thunderbird itself reversed.

That's certainly an idea worth exploring, although, as I replied to Markham, I have some concerns about how robust implementing OpenPGP in Javascript would be (but see his comments on that, too.) We certainly need other open source mail clients that can be used for secure communications. When I wrote about Thunderbird back in 2013, I mentioned a new project called Mailpile. That has been progressing steadily, and recently released a beta version. Here's what feedback revealed:

Obviously we had hoped things were almost ready for public consumption, that we were close to making a proper release. The testing did it's job alright: we know now we were a tad overoptimistic. Just a tad! So we're going back to work instead of pushing for a 1.0 right away.

Some of the key take-aways from our beta tests were:

We bit off more than we can chew in our 1.0 plans. The app needs to be simplified so we can ship something really stable.

Our IMAP support still needs work so it can interoperate with all the different mail servers out there. The Internet is a big and diverse place!

Our GnuPG strategy and code isn't ready. We need to either make all that crypto stuff completely seamless, or improve the tools we expose to the user for manual work. Preferably both.

Of course, the last of those is the big one, and goes back to the discussion around Thunderbird last week. As the Mailpile team emphasised, the project is not being abandoned: the beta-testing did what it was supposed to do - winkle out problems - and the team will now use that feedback to address issues and improve things. But it does show once more that crypto is hard - and that's true not just for open source, but for all kinds of software. The big question remains: is it possible to make it easy enough for many more people to use, or is it doomed to be the preserve of those who really need it, or at least think they do?

Follow me @glynmoody on Twitter or, and +glynmoody on Google+


Copyright © 2015 IDG Communications, Inc.

Shop Tech Products at Amazon