1

I have a number of contacts who can only decrypt 3DES, when it comes to S/MIME encrypted mails. I'm aware that this is by far not ideal, but better than no encryption at all.

My problem is, that I can't find a way to force Thunderbird to use 3DES for specific mails. Thunderbird itself doesn't seem to have an option, so I've installed the Enigmail plug-in, which states in the FAQ:

Note that you can force usage of a specific symmetric algorithm by using the GnuPG option --cipher-algo, but this is not recommended; this option can easily break things and is intended for debug purposes only.

This sounds good, but the setting does not change a thing for me.

I've also asked on the mozilla support page and on the enigmail support page

I'm baffled that there's no obvious solution to this.

How can I force Thunderbird to use a specific encryption cipher for S/MIME encrypted mails?

GarlicCheese
  • 129
  • 1
  • 11
  • An email client should automatically recognize the ciphers supported by the other client from a signed email. However 3DES is very old and I know it is not supported any more for security reasons by some clients since years. Not sure about Thunderbird though. The latest S/MIME 4.0 RFC marks 3DES as historic. – not2savvy Feb 12 '20 at 10:13
  • That's correct. Replies usually work, but I frequently have to write new mails to such contacts. – GarlicCheese Feb 12 '20 at 11:43
  • Even for a new mail, in order to encrypt Tbird _must_ have and use the recipient's certificate -- which is _usually_ obtained from a prior email but can also come from other sources like LDAP -- and that certificate normally contains the recipient's capabilities. AIUI Tbird (like Firefox) uses its own cert store; look in there for the cert and look at its SMIMECapabilities extension. – dave_thompson_085 Feb 13 '20 at 01:28
  • While that sounds fantastic, it doesn't work. When I send a mail to said contacts it's encrypted using AES128, which they can not decrypt. – GarlicCheese Feb 13 '20 at 06:25
  • As a workaround, the recipient can setup a contact form, that encrypts the message for the recipient using S/MIME encryption with whatever ciphers the recipient supports, and sends the encrypted message to the recipient by email. See https://www.encryptedcontactform.com/ for an example. – mti2935 Jul 20 '20 at 17:22
  • 1
    For what it's worth, Outlook does support choosing the cipher, including choosing 3DES (though it defaults to AES). – CBHacking Jul 16 '21 at 05:08

1 Answers1

0

I tried to find out a little more about how and where Thunderbird stores the ciphers of the communication partner, but it looks like it's not actually stored with the user or his/her certificate. Therefore, Thunderbird uses a default cipher, probably as defined in the S/MIME RFC it implements. There seems to be no way for the user to set the default cipher.

The only way I can think of to make Thunderbird respect the other side's ciphers properly, is not to create new emails, but to always reply to an existing one.

not2savvy
  • 710
  • 5
  • 12
  • Thank you for your input. You're right, replying to emails works fine, but that's not viable. I understand that the mail client/setup chooses a sane default cipher for the user, as most users don't know what would be a good choice, but I am perplexed that there is **no** option of specifying a certain cipher. – GarlicCheese Feb 24 '20 at 06:30
  • 1
    I completely understand that you do not find this viable. However, it looks like it is the only answer you can get (unless you contribute a solution to Thunderbird). – not2savvy Feb 24 '20 at 10:35