Message security

From MozillaZine Knowledge Base

This article was written for Thunderbird but also applies to Mozilla Suite / SeaMonkey (though some menu sequences may differ).

This article is an overview of message security in Thunderbird. It explains the concepts and has links to other articles that provide more detail.

Message security applies techniques of digital encryption to protect the contents of individual messages. Using these techniques, an individual message can be signed, or encrypted or both.

Note:  The terms signed and signature can also refer to blocks of text, usually placed at the end of a message to identify the sender. These kinds of signature have nothing to do with security. For information about them, see: Signatures - Thunderbird


Security systems

Various systems exist for securing messages. Thunderbird has built-in support for a Internet standard called S/MIME, which is what this article describes. In other security systems the concepts are very similar.

Thunderbird supports RFC 3851 (S/MIME version 3.1). The new features of RFC 5757 (S/MIME version 3.2) are not supported. You can add support for other security systems by installing extensions. For example, the Enigmail extension adds support for PGP. There is more information about using PGP at: Secure my email . You can not use both S/MIME and PGP in the same message. For a technical comparison of these two systems, see: S/MIME and OpenPGP.

Whether to choose S/MIME or Enigmail depends mainly upon what your recipients will support, not technical details. However, one reason for Enigmail's popularity is its much easier to figure out how to set it up than S/MIME. It's also got much better documentation and a dedicated support forum. Long term, the Thunderbird developers are planning on adding support for p≡p (Pretty Easy Privacy) once the Enigmail add-on is compatible with it. It's an attempt to make end-to-end encryption much easier to use.

SSL/TLS is also supported, but it is only used to temporarily encrypt data as it is being send/received between a email client and server. Neither S/MIME nor OpenPGP protect your email password, as that is not part of the message. SSL/TLS works well in combination with S/MIME or OpenPGP.

Signed messages

A signed message is an ordinary message with a digital signature added by the sender. The signature has two purposes: it identifies the sender, and it verifies that the content of the message has not been altered since the message was sent.

Anyone can read a signed message, because it is just an ordinary message. There is nothing different about the message content. The signature is part of the message, but separate from the content.

A signed message can identify the sender in two ways. You might have received other signed messages from this sender in the past. In this case Thunderbird recognizes the signature in the message. Alternatively, the signature in the message might itself be signed by an authority that Thunderbird recognizes.

If the content of the message changes after it is signed by the sender, then Thunderbird warns you. The content might change while the message is being transmitted, or it might change while it is stored on your computer. For example, security software on your computer might change it, or you might edit the content yourself. Any of these changes invalidate the signed content.

A signature does not apply to any of the message headers, not even to the subject or date.

Encrypted messages

An encrypted message has content that is unreadable. However, the message identifies certain people who can decrypt and read the message. If you are one of those people, then Thunderbird automatically decrypts the message when you display it. The message stored on your computer remains encrypted.

Some drawbacks of not being able to permanently decrypt messages is that you can't search them, and if you archive them they can't be accessed using other applications. Both S/MIME and the Enigmail extension can have problems with HTML messages. If the message is going to be both signed and encrypted its recommended you create a plain text message to help avoid signature failures. If you're using the Enigmail extension use PGP/MIME instead of inline PGP if you want to send HTML messages. [1] [2]

Components of the system

The S/MIME system in Thunderbird has various components. Four of these are known as certificates. Each certificate identifies a person, organization, or web site as follows:

Certificate Authorities (CAs)  Trusted organizations (or more rarely, people) that sign other certificates to assure you that those other certificates are genuine.
Web sitesThunderbird uses web sites to download extensions and for RSS feeds.
Other peoplePeople who send you messages.
YouThe identities that you use to send messages.

Thunderbird can also use certificates to verify signed extensions, but this feature is rarely used, and Thunderbird does not have a separate list of certificates for this purpose.

Another (optional) component of the system is your master password.

Three further components are beyond the scope of this article:

Certificate revocation lists (CRLs)Online services for identifying certificates that are no longer valid (removed in 24.0 and later)
Online Certificate Status Protocol (OCSP)Online services for identifying certificates that are no longer valid
Security devicesAdditional software and perhaps hardware for the security system—for example, a smart card device.


A certificate is a file containing data used for encryption (known as keys) together with other information. Thunderbird imports certificate files and stores them together in your profile, not as separate files.

To work with the lists of certificates, choose Tools – Options (Preferences) – Advanced – Certificates – View Certificates. In the Certificate Manager window, you can view, edit, import and delete certificates.

The other information in certificates includes, for example:

  • The name and other information about the person or organization the certificate identifies
  • The dates when the certificate becomes valid and expires
  • The purposes that the certificate can be used for

You can view any certificate to see this information, and you can edit it to make limited changes to the purposes. Some of the purposes are:

SSL Certificate AuthorityAble to sign other certificates
SSL Server CertificateAble to identify web sites
Email Signer CertificateAble to sign e-mail messages
Email Recipient Certificate  Able to decrypt encrypted messages

Your own certificates

To use your own certificate there are usually three steps:

  1. Get or create the certificate file.
  2. Import the certificate into Thunderbird.
  3. Associate the certificate with an identity.

For more information about getting certificates for your own identities, see: Getting an SMIME certificate

Certificate files for your own identities normally contain their own password-protection. File name extensions for them are: .p12 and .pfx

Create your own certificates and import them into Thunderbird. When you import your own certificate, you normally need to supply the password that protects the file. For more information about importing your own certificates, see: Installing an SMIME certificate

You can export your own certificates for separate backup. When you export a certificate to back up, the exported .p12 file is protected by its own password. Do not share your certificates with any other person because it contain both private (must be kept secret) and public keys.

Probably you want export your public key certificate (.cer) to share it with friends or to publish it on your website allowing people to send you encrypted emails. Thunderbird has no built-in function for this. However it can be easily done with the Firefox Add-on Key Manager. First you need to export your .p12 certificate from Thunderbird and import it into Firefox (see Installing an SMIME certificate). Second open Key Manager (Tools - Key Manager Toolbox - Key Manager - Your Keys), select your key, Export and choose X.509 as file format.

Certificates and identities

Associating a certificate with an identity for sending messages is a separate step. In Account Settings, on an account's Security page, choose the certificates for the account's default identity. You can use the same certificate for both signing and encryption, if the certificate allows this.

Thunderbird has no user interface for choosing a certificate for other identities (this is bug 252250). To work around it, choose the certificate for an account's default identity. Close Thunderbird and go to your profile. Back up and edit the file prefs.js there, and search in the file for the four certificate settings:


Change the identity number in these settings from the account's default identity number to the identity number you want. You will have to look around the file to discover which number it is. The order of settings within the file is not important, so there is no need to move them.

You can associate certificates with other identities by copying these four settings and changing the identity numbers and values.

Your master password

You are asked to set a master password to protect your own certificates stored in Thunderbird. If you do not set a master password, then someone who has access to your computer might be able steal and use your certificates.

You might choose different security measures to protect your stored certificates instead of a master password—for example, if you work in an environment where you could be observed typing a master password. However, leaving your stored certificates unprotected is probably a bad idea.

For more information about master passwords, see: Master password

Certificates for other people and organizations

Certificate files for other people and organizations can have various file name extensions: .crt, .cert, .cer, .pem and .der

Thunderbird imports certificates automatically from signed messages that you open, if the certificates are themselves signed by trusted certificate authorities (CAs).

When you import certificate files for other people and organizations, you specify the purposes that you allow the certificate to be used for. You do not normally have to do anything else to use the certificates.

You cannot export certificates for other people and organizations unless you use a separate program to export them. This are bugs 161275 and 315871. A workaround is to use the add-on Cert Viewer Plus.

If you have set a master password, it does not apply to these certificates (because all the information in them is public).

Expired Certificate

Eventually the S/MIME certificate will expire (usually within a year). You need to keep an expired S/MIME certificate in order to read any messages that were encrypted and/or signed with it. Don't delete it when Thunderbird complains about an expired certificate, just add the new certificate.

You typically get a new S/MIME certificate for yourself in Firefox, export it using Tools -> Options- > Advanced -> Encryption -> View Certificates -> Your Certificates -> Backup, and then import it into Thunderbird. [3] . It is recommended that you backup your expired certificate in the browser and then delete it before getting a new certificate for yourself.

Sending mail

When you write a message, choose Options – Security to choose whether to sign it, encrypt it, or both.

To sign a message, you must have a certificate (.p12 because the private key is used) for the identity that you are using to send the message. The certificate must be stored in Thunderbird, and associated with your identity, as described above. Specify the identity by choosing the message's From address before you choose to sign the message. If you change the From address, the message will not be signed unless you again choose to sign it.

To encrypt a message, you must have a certificate (.cer because the public key is used) for each person who will receive the message, and also your own certificate for the identity that you are using to send the message (this is because the message will be encrypted so that only these people, including you, the sender, can decrypt it). All these certificates must be stored in Thunderbird, and your own certificate must be associated with your identity, as described above.

Icons in the status bar at the bottom of the message indicate whether it will be signed or encrypted when sent. The icons are smaller versions of those in the section below. To see information about the message's security, click one of the icons or choose: View – Message Security Info   (In the default theme it is not obvious that the icons are clickable.)

The message is signed or encrypted when you send it or save it as a draft. If you edit the draft, you must set the message's security features again.

Invalid Certificate

When trying to send a digitally signed or encrypted message, the certificate used for signing/encryption will be validated. It is possible that you receive an error at this stage that prevents you from sending or storing a draft of this message. This error occurs, if the certificate you are using is not fully trusted. In Thunderbird, you will receive the following error message:

Sending of message failed. Unable to sign message. Please check that the certificates specified in Mail & Newsgroups Account Settings for this mail account are valid and trusted.

To resolve this issue follow these steps:

  1. Go to the security preferences and view the certificate you were about to use for signing/encryption
  2. Change to the details tab and look at the certificate hierarchy: you will see your certificate at the lowest node in the tree. The node at the top is the root CA.
  3. Verify whether all parent nodes of the certificate are in your list of trusted CAs, and whether they can be used to identify mail users

Receiving mail

When you receive a signed or encrypted message, you see one or two icons in the message's header area (but only if the header area is not collapsed).

In the default theme in Thunderbird 2, the icons are:

PCMac Meaning
Image:Icons-tb2pc-smime.pngImage:Icons-tb1.5mac-smime.png Signed (The red blob is not meant as a warning—it just depicts sealing wax.)
Signed, but the signature is doubtful
Signed, but the signature is not valid
Encrypted, but the encryption is not valid

To see more information about the message, click one of the icons or choose: View – Message Security Info (in the default theme it is not obvious that the icons are clickable).

If the message is encrypted but Thunderbird cannot decrypt it, then you also see information from Thunderbird in place of the message content.

See also

External links