Blog from June, 2020

New in S/Notify 3.2

S/Notify is undoubtedly the most comprehensive email encryption solution for Jira and Confluence!

S/Notify for Jira Data Center Available

This affects only Jira Data Center users. If you are using Jira Server, nothing changes for you.

Due to repeated customer demand, we have been working on releasing a Data Center version. Starting from S/Notify 3.2, we will start releasing S/Notify for Jira Data Center versions in parallel to our S/Notify for Jira Server versions.

JIRA DATA CENTER USERS

What this means for you:

Any customer running this application on a DC Instance need to convert their license over to a DC App license if they intend on upgrading to this DC version.

For more information see: https://www.atlassian.com/licensing/data-center-approved-apps#

S/Notify for Confluence Data Center Approval in Process

We plan to also provide an S/Notify for Confluence Data Center version with the next feature release.

CONFLUENCE DATA CENTER USERS

Please note that we have started the DC Approval process and intend on releasing a DC compatible version in the future.

What this means for you:

Any customer running this application on a DC Instance would need to convert their license over to a DC App license if they intend on upgrading to the DC version in the future.

For more information see: https://www.atlassian.com/licensing/data-center-approved-apps#

S/Notify 3.2 New Features And Improvements

Elliptic Curves Ciphers

You have asked for it, and here it comes: S/Notify now supports PGP keys with elliptic curves ciphers. 

Elliptic curves ciphers are gathering more and more interest because they are said to be more secure if compared to classic ciphers at the same key length. We have tested with NIST curve P-256 (GnuPG selection EcDSA) and Curve25519 (GnuPG selection EdDSA), but others should work as well.

Email Subject Encryption

Again, due to customers asking for it, we have now added support for the encryption or protection of the email subject. As the email subject may contain sensitive data, this makes a lot of sense. However, bot S/MIME and PGP usually only encrypt the message body, leaving the headers exposed – with the email subject being one of them.

There are some attempts and drafts how to protect the subject which, however, are not yet widely supported. For example, the S/MIME standard describes a way to wrap the full message including it headers and encrypt it. However, such messages are interpreted as forwarded messages and thus displayed in a way that confuses the standard email user. While in Apple Mail, it worked quite well, Microsoft Outlook hides the whole message in an attachment, displaying only an empty message to the user. Because of this unsatisfactory situation, we decided to got for another approach often referred to as MemoryHole Protected Headers

We use Protected Headers in legacy mode. This means that the email subject is displayed as plain text to the users by email clients that do not know about Protected Headers. We found this to be the less confusing and most versatile approach. However, if you prefer to use the S/MIME rfc822/message approach, please contact us, and we will tell how to change it.

With regard to incoming email, subject encryption will automatically be detected and processed correctly, independent from which of the above approaches has been chosen by the sender. 

Key Or Certificate Extraction (Jira only)

S/Notify provides many ways to manage keys and certificates, from users uploading them on their own to using key servers, local key stores, or LDAP servers to obtain the necessary encryption keys. 

This release adds one more way to the list, by offering to automatically extract keys or certificates from incoming email. Once activated, incoming email will be checked for attached PGP keys or certificates that are usually included in S/MIME signatures. If found, they are extracted and stored for use of encrypting emails to the user.

Note that for keys or certificates to be extracted, the incoming email must be properly signed, and, of course, the key or certificate must be valid for the sender who has to be a valid Jira user.

Other Improvements

  • PGP encryption now selects symmetric cipher from key preferences 

  • Improved error checks for key server URLs 

  • Improved user group selection in large Jira instances 

  • Updated underlying BouncyCastle crypto libraries 

  • Protection against certain XSS attacks 

Fixes

  • Advanced settings had missing translation key displayed 

  • Internal test email could be sent during setup if mailer library was not present yet. These emails will now be deleted from email account when encountered.

Please send us comments, feature wishes, and any other type of feedback – it is much appreciated!

The issue has been fixed with release 3.2.1, please see New in S/Notify 3.2

Updates

UPDATE#4:
S/Notify 3.2.1 for Jira has been released for Server and Data Center

UPDATE #3:
S/Notify 3.2.1 for Confluence has been released
S/Notify 3.2.1 for Jira is awaiting final DC approvement

UPDATE #2:
We’ve fixed the problem and are preparing S/Notify 3.2.1 for its release

UPDATE #1:
Both, Jira and Confluence, are affected

Unfortunately, a bug has slipped through our release testing - see below for details

Problem

When upgrading to S/Notify 3.2.0 from an earlier version, the per-project / per-space encryption settings are lost.

The problem appears only when upgrading, and it is only relevant to customers who use per-project encryption.

We would like to thank Mirko Tanania who reported this issue to us!

Resolution

We have decided to withdraw S/Notify 3.2.0 from the Marketplace. It is no longer available from there.

We have identified and fixed the issue, and we are in the process of releasing S/Notify 3.2.1 on the Atlassian Marketplace.

We recommend that you watch this page to receive updates as we proceed!

What to consider when installing S/Notify 3.2.1

You can just upgrade S/Notify 3.2.1, and your settings from 3.1.0 or earlier will be kept properly.

Only if had already installed 3.2.0, note that project settings changed in 3.2.0 are not kept. Instead, your original settings from 3.1.0 or earlier will be restored.

We are sorry for any inconveniences we may have caused!