Closed Bug 1665536 Opened 5 years ago Closed 5 years ago

Thunderbird OpenPGP Removes Passphrase from Keys

Categories

(MailNews Core :: Security: OpenPGP, defect)

defect

Tracking

(Not tracked)

RESOLVED DUPLICATE of bug 1662272

People

(Reporter: david.r.bergstein, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0

Steps to reproduce:

  1. Upgrade from Thunderbird 68.x to 78.2
  2. Ran OpenPGP import of gpg keys

Actual results:

  1. Encrypted test messages on file display without passphrase prompt.
  2. Sent an encrypted and signed message without being prompted for a passphrase.

Expected results:

I expected to be prompted for my OpenPGP passphrase to be required for the above operations. Clearing of passphrases on import appears to have occurred. This appears to be a security issue.

Secret keys are not protected by passphrase anymore in Tb-native OpenPGP, but protected by Master Password of Thunderbird.
If you do not set Master Password, secret keys are not protected at all.

Maybe related with bug 1662272?

Yes, as Kosuke said, to protect your secret key, you need to set a master password. If you do, you will be prompted for it once at startup of Thunderbird, which is required to use your OpenPGP keys.

It's true that we remove the passphrase - however, we also set a new passphrase - with the intention to have all OpenPGP keys consistently use the same passphrase.

This is also explained here:
https://support.mozilla.org/en-US/kb/openpgp-thunderbird-howto-and-faq#w_how-is-my-personal-key-protected

I'll set this as invalid, because what you see is the intended behavior.

Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → WORKSFORME

Actually, let's mark it as a duplicate of bug 1662272 as Kosuke suggested, because you weren't aware that a master password can help you.

Resolution: WORKSFORME → DUPLICATE

(In reply to Kai Engert (:KaiE:) from comment #2)

Yes, as Kosuke said, to protect your secret key, you need to set a master password. If you do, you will be prompted for it once at startup of Thunderbird, which is required to use your OpenPGP keys.

It's true that we remove the passphrase - however, we also set a new passphrase - with the intention to have all OpenPGP keys consistently use the same passphrase.

This is also explained here:
https://support.mozilla.org/en-US/kb/openpgp-thunderbird-howto-and-faq#w_how-is-my-personal-key-protected

I'll set this as invalid, because what you see is the intended behavior.

Well, once again, this is the behaviour intended my Mozilla, NOT the behaviour intended (and expected) by users, as half a dozen bug reports clearly shows.

The promise is "Thunderbird integrates Enigmail". Which EVERYONE will interpret as "Thunderbird becomes a secure as Enigmail", which obviously isn't the case. You can no longer protect N accounts with N passphrases, making it impossible that two people share a Thunderbird (but not share passphrases).

And you don't even tell people who are importing Enigmail data that you strip the security from it...

That's NOT the promise. We explicitly did not want to copy over Enigmail one to one. We wanted to support OpenPGP built-in.

Re "making it impossible that two people share a Thunderbird" - you must realize, if both people have physical access to the same OS profile, and even the same Thunderbird profile - you're talking nonsense. There's no real security going on there - and most likely the other person can easily find out whatever password by just taking the opportunity to be in the vicinity and catch that when entered ("eaves (=eyes) dropping"), installing a key logger, whatever.

People who want stronger isolation for different email accounts, for
example to share some with their family but not others, can use
different Thunderbird profiles instead. Different profiles have
different master password.

I also don't think that we should try to protect OpenPGP keys
from different people using the same Thunderbird profile.

This implies that people are forced to go out and back in again with profiles (which no one except for office workers will do), and stripping people of the ability to see e-mail from unprotected accounts sitting alongside the protected accounts. It is all a HUGE loss of practicability, and big security hole that Thunderbird punches into PGP security.

Passphrases have a VERY good reason for being, and Thunderbird simply kills them (without telling their users). For me, this is unacceptable.

(In reply to Magnus Melin [:mkmelin] from comment #5)

That's NOT the promise. We explicitly did not want to copy over Enigmail one to one. We wanted to support OpenPGP built-in.

But you DON'T ! PGP has passphrases per account SECURING the key. Thunderbird hasn't. It's an essential security measure.

Let alone the fact that in the first version you wrote keys unencrypted, without using the master password, on the local HDD, exposing them. CVE-2021-29956. And blatantly marked this as being the lowest possible level of priority, "low".

Mozilla once again deserved the bad press they got. If you want to further erode the shrinking market share, go ahead.

(In reply to Magnus Melin [:mkmelin] from comment #5)
you must realize, if both people have physical access to the same OS profile, and even the same Thunderbird profile - you're talking nonsense.

Watch your language...

There's no real security going on there - and most likely the other person can easily find out whatever password by just taking the opportunity to be in the vicinity and catch that when entered ("eaves (=eyes) dropping"), installing a key logger, whatever.

NOPE. My passphrase cannot be caught by that. And of course, that rests solely in the responsibility of the key owner. No one has to tell key owners that they must protect their passphrases from being watched.

You need to log in before you can comment on or make changes to this bug.