Launchpad sends (unencrypted) mail notifications about private assets

Bug #3165 reported by Jeff Bailey on 2005-10-14
304
This bug affects 5 people
Affects Status Importance Assigned to Milestone
Launchpad itself
High
Unassigned

Bug Description

Symptoms
========

Launchpad sends notifications to changes on private objects via regular email.

This is not secured and could disclose private information if the mail is intercepted.

Users cannot readily reason about the chance of disclosure when entering private or proprietary data in to LP.

Analysis
========

Some of our users will want to run the risk of disclosure as they have folk they work with who have very limited internet facilities - doing 'object X has changed click here to see the change' style notifications would likely just frustrate them.

Other users have very high confidentiality concerns and may want to prevent all unsecured mail being sent.

We have one low hanging fruit we could apply: opportunistic TLS on the outbound mail path.

Failing that we probably need to do some stakeholder research to get a full handle on the expectations, and to assess the risks they face.

James Henstridge (jamesh) wrote :

One option might be to encrypt private bug mail (assuming that the user has registered a GPG key that is usable for encryption).

Jeff Bailey (jbailey) wrote :

Yup. It might be interested to have a preferences option for Encrypt: Always, confidential, and never. Sign: Always, confidential, and never.

But I don't know that it would solve the problem for the average end user. If it's not set to encrypt the confidential email, I think it still shouldn't send the contents. Otherwise someone pasting logs with passwords might not realise that it's going over a plaintext session until after they've received a copy of it.

Tks,
Jeff Bailey

Dafydd Harries (daf) on 2005-12-16
Changed in launchpad:
status: New → Accepted
Christian Reis (kiko) wrote :

Won't this be seriously inconvenient for security personnel?

Kees Cook (kees) wrote :

I wouldn't mind emails getting encrypted.

As for the other option, it would be a minor inconvenience to have no contents at all, as the majority of the security bugs are not marked private. Since I already use LP to do the security bug reviews (email notifications tend to just be a "reminder" to go check the bug lists), it wouldn't be too bad for me. (As long as there's still a bug URL in the email, I'm happy.)

Soren Hansen (soren) wrote :

How about this:

If a bug is not private, do what we've always done.

If a bug is private, and the user has accepted to get encrypted e-mail, encrypt it. If he hasn't accepted to receive encrypted mail, send only the status change stuff (and perhaps a notification of new comments). The footer should contain a link to the place where you change your "accept encrypted e-mail" setting.

When implementing this, it might make sense to go through all the bug mail that malone has received, find the GPG signed e-mails and set "accept encrypted e-mail" for the senders to "on" as they clearly have used gpg before and are likely to be able to use it. Also, when a user sends his first gpg signed e-mail to malone, this setting should be set to "on".

Jeff Bailey (jbailey) wrote :

Soren,

I'd say status change, plus URL to get to the message. After that, it looks good to me.

Graham Binns (gmb) on 2010-06-04
tags: added: story-better-bug-notification
Graham Binns (gmb) on 2010-08-11
tags: added: story-better-notification-sending
Changed in launchpad:
importance: Medium → High
Gary Poster (gary) on 2011-01-21
tags: removed: story-better-bug-notification
Curtis Hovey (sinzui) on 2011-10-22
tags: added: feature privacy
removed: lp-bugs story-better-notification-sending
Changed in launchpad:
importance: High → Low

I'm putting this back to high, because our notifications really make a bit of a mockery of our ssl-only approach.

Changed in launchpad:
importance: Low → High
Curtis Hovey (sinzui) wrote :

good luck implementing this in the next two years

Turning on voluntary SMTP TLS on outgoing mail (from eg fiordland)
would get close to the security properties of https, with no code
changes and no user disruption. Like for https, this would protect
the data in transit, and it is fairly plausible (though not
guaranteed) that users have a secure path between their MUA and MX,
and that their MUA is as secure as their browser.

summary: - Launchpad sends (unencrypted) mail notifications about private bug
- reports
+ Launchpad sends (unencrypted) mail notifications about private assets
description: updated

fwiw I think there is an existing, very old rt, for doing this.

Robert Collins (lifeless) wrote :

Stakeholders would like this addressed in some fashion; optimistic TLS as a requirement is probably a decent approach - and route all non-optimistic-TLS mails tagged for private objects to a blackhole that logs the fact and swallows the mail.

tags: added: notifications
John Ross (johnross-johnross) wrote :

I was just made aware of this bug report after mine was marked as a duplicate. I'm absolutely astounded that this has been known since 2005 and yet nothing has changed!

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers