About me

Developer Information
Name Adam
Occupation Principal of Software Security
User since April 2, 2018
Number of add-ons developed 0 add-ons
Average rating of developer's add-ons Not yet rated

In a little more detail...

I've been a hacker all my life, but I've only been getting paid to do it for the past decade. Run the Software Security practice at Grimm, which essentially means I find 0-days in high security software for our clients. In my spare time, I find and publish 0-days in software made by other people (non-clients), and often include an exploit to demonstrate the impact of the issue.

My Reviews


Rated 4 out of 5 stars

In general, I can't say enough good things about Enigmail.

It's sad that PGP has to be implemented as an add-on while S/MIME gets first class treatment as a built-in feature. Given that this is the situation we find ourselves in, Enigmail is up to the task. After the initial setup, it makes encryption easy! All my emails are automatically signed and encrypted, incoming emails are automatically decrypted and signatures verified. The messages are clear about when a message is signed, whether the person who signed it is trusted and so on. If it's unable to encrypt an email, it warns me (and this warning is optional for those who don't really care if they send unencrypted emails).

Unfortunately, when Thunderbird automatically updated me to version 2.0 of Enigmail, I could no longer read encrypted emails. There was no error message, just a blank email. I echoed the email and piped it to my gpg client on the command line and it worked fine. I used the same command which is found on the Basic tab of Enigmail's settings, so I'm confident this is a problem with Enigmail, not with gpg. Furthermore, uninstalling Enigmail and installing version 1.99 (which can be obtained from Enigmail's website if you modify the download URL) caused everything to work perfectly again.

This brings me to my only real complaint about Enigmail, which is a lack of ability to debug things when something goes wrong. It's rare that there are issues, but in these rare cases, it would be fantastic to be able to troubleshoot what's going wrong. Showing a blank email and no error messages when something goes awry is not reasonable. For a while I sat around waiting for the message to load. The only test I could run (piping the email to the pgp program on the command line) didn't reproduce the error, so I was stuck (short of digging into the source code of Enigmail).

Aside from having a custom wrapper around the gpg command (which shouldn't matter to Enigmail since it should just be running whatever gpg command is specified in the Basic preferences), I have a standard setup, so I'm not sure why it failed (again, back to the lack of error messages and debugging capabilities). I'm not sure how (or if) new versions are tested before being released, but given the number of reviews citing problems with version 2.0, it does raise questions about this process as well. Hopefully they get it sorted out, and if not, I can just stay on version 1.99 forever.

This review is for a previous version of the add-on (2.0).