I'm pleased to announce that we, the Sequoia PGP team, have released
v1.0 of the Octopus. The Octopus is an alternate OpenPGP backend for
Thunderbird 78 based on Sequoia PGP.
You can find more details in our blog post and README, which also
include installation instructions (for Windows we provide precompiled
The project was started as a simple Thunderbird-specific drop-in
replacement for RNP, which Fedora and RedHat do not want to
distribute, because Botan is not one of the cryptographic backends
that they support.
In the end, the project grew to also reintroduce many of the features
that we and others miss from Enigmail, in particular, close gpg
integration, web of trust support, and background updates. Along the
way, we also discovered some security flaws, which we found
workarounds for (see below). And Sequoia has several non-functional
advantages. These include:
- Integrates GnuPG's keyring.
- Integrates GnuPG's key validity information ("web of trust")
- Directly talks to gpg agent (no GPGME required).
- Updates certificates in the background using something like
- Rejects weak cryptgraphic primitives.
- Works around a 20 year old security flaw that Thunderbird
introduced by rewriting Thunderbird-generated signatures on the
- Non-Functional Advantages
- Unencrypted secret key material is protected in memory (like
OpenSSH). This frustrates Heartbleed, Spectre, etc.-style
- Countermeasures for weakness in SHA-1 collision resistance.
(RNP accepts SHA-1 everywhere. In fact, stock RNP accepts MD5!)
- Use of a variant of SHA-1 called SHA-1 collision dection, which
is used by github, for instance.
- SHA-1 is only accepted in safer contexts.
- We've published and committed to a SHA-1 deprecation timeline.
- Signatures include a salt to protect them from some attacks on
collision resistance (like OpenSSH).
- Avoids RNP's split brain problem due to its multiple sources of
- Some code (in particular, certificate parsing, which is slow) is
multithreaded thanks to Rust's safer concurrency primitives.
- Support for a broad range of OpenPGP certificates.
If you have any questions, feel free to reach out either via email or
on our irc channel (Freenode, #sequoia).