This seems so fundamentally wrong I'm having trouble understanding why the
developer insists on doing it.
https://bugzilla.mozilla.org/show_bug.cgi?id=1678655
PGP passwords should not be stored on disk. (Security Issue)
-----------------------------
Keeping PGP Private Key Passwords in memory per session is reasonable but saving them for automatic decryption along
with account passwords is NOT!
There is a big difference in expected privacy and security levels between an account password and a PGP Private Key
Password!
PGP passwords should not reside on disk anywhere! By rights, they should also be explicitly purged from memory upon
exiting Thunderbird.
Actual results:
Private PGP key automatically accessed without having to enter password after
first use.
Expected results:
PGP Private Key Password should be solicited for manual entry upon every
session.
PGP Private Key Password should reside only in memory per session.
PGP Private Key Password should be explicitly wiped from memory upon
Thunderbird exit.
PGP passwords should not be stored on disk. (Security Issue)
-----------------------------
Using the master password will give you that. (See bug 1662272).
Of course, if you really care about what's written to disk, you should not rely
on that, but use full disk encryption.
Status: UNCONFIRMED → RESOLVED
Closed: 1 hour ago
Resolution: --- → INVALID
-----------------------------
No the master password does NOT "give me that," you are degrading security!
OpenPGP already has a strong security mechanism in the form of a Private Key Pass Phrase. Normal use of PGP/GPG/OpenPGP
never involves writing that private key pass phrase to disk.
Thunderbird's implementation of writing that secret pass phrase to disk is a violation of all defined best practice.
Arguing that this violation can be compensated for via additional work arounds such as full disk encryption is specious.
Simply stop degrading security!
First -- I do not want ALL of my secure email unlocked and exposed everytime I
run Thunderbird.
Second -- Full disk encryption only provides protection to dead systems. The drive is effectively decrypted while in use
and it's contents are subject to the same live access as any other drive.
Third -- The Master password groups everything together at the same level. PGP Private keys demand a considerably higher
level of security than access to Youtube or Reddit.
Fourth -- People have more than one Private Key. Recording all the private key pass phrases together yet again degrades
security.
Ironically this doesn't require custom code development, Thunderbird already does the proper thing if there is no known
private key. Simply remove the extra code that subverts everything by saving the Pass Phrase. Why are you working so
hard to do the wrong thing?
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp