Closed Bug 1678655 Opened 5 years ago Closed 5 years ago

PGP passwords should not be stored on disk. (Security Issue)

Categories

(MailNews Core :: Security: OpenPGP, defect)

Product:
MailNews Core
Component:
Security: OpenPGP
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED INVALID

People

(Reporter: bugzilla, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0

Steps to reproduce:

Keeping PGP Private Key Passwords in memory per session is reasonable but saving them for automatic decryption along with account passwords is NOT!

There is a big difference in expected privacy and security levels between an account password and a PGP Private Key Password!

PGP passwords should not reside on disk anywhere! By rights, they should also be explicitly purged from memory upon exiting Thunderbird.

Actual results:

Private PGP key automatically accessed without having to enter password after first use.

Expected results:

PGP Private Key Password should be solicited for manual entry upon every session.

PGP Private Key Password should reside only in memory per session.

PGP Private Key Password should be explicitly wiped from memory upon Thunderbird exit.

Component: Untriaged → Security: OpenPGP
Product: Thunderbird → MailNews Core

Using the master password will give you that. (See bug 1662272).
Of course, if you really care about what's written to disk, you should not rely on that, but use full disk encryption.

Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → INVALID

No the master password does NOT "give me that," you are degrading security!

OpenPGP already has a strong security mechanism in the form of a Private Key Pass Phrase. Normal use of PGP/GPG/OpenPGP never involves writing that private key pass phrase to disk.

Thunderbird's implementation of writing that secret pass phrase to disk is a violation of all defined best practice. Arguing that this violation can be compensated for via additional work arounds such as full disk encryption is specious. Simply stop degrading security!

First -- I do not want ALL of my secure email unlocked and exposed everytime I run Thunderbird.

Second -- Full disk encryption only provides protection to dead systems. The drive is effectively decrypted while in use and it's contents are subject to the same live access as any other drive.

Third -- The Master password groups everything together at the same level. PGP Private keys demand a considerably higher level of security than access to Youtube or Reddit.

Fourth -- People have more than one Private Key. Recording all the private key pass phrases together yet again degrades security.

Ironically this doesn't require custom code development, Thunderbird already does the proper thing if there is no known private key. Simply remove the extra code that subverts everything by saving the Pass Phrase. Why are you working so hard to do the wrong thing?

Status: RESOLVED → VERIFIED

I totally agree with 'bugzilla' (aka bug reporter), the way OpenPGP was implemented in Thunderbird 78 is just insane. Reason why I'm currently getting rid of Thunderbird, after using it for 18 years! That's a very sad decision, but there's no other choice since I don't believe this critical issue will get fixed soon (if it ever gets fixed... which I also highly doubt).
Can s.o. tell me how I can wipe out my passphrases currently stored (against my will) in Thunderbird? Many thanks in advance.

You need to log in before you can comment on or make changes to this bug.