Closed Bug 1679330 Opened 3 years ago Closed 3 years ago

Private keys are not secured

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1679278

People

(Reporter: xypron.glpk, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux aarch64; rv:78.0) Gecko/20100101 Firefox/78.0

Steps to reproduce:

With Thunderbird 78.5 the enigmail plugin was eliminated. Instead PGP keys have to be stored inside Thunderbird.

Under enigmail the private keys where password protected.

Actual results:

I was not asked for a password when signing a mail.

So anybody getting a copy of my Thunderbird profile can sign mails in my name.

This is completely insecure and thus not acceptable.

Expected results:

Thunderbird should not change the encryption of private keys and ask for the password for every single mail that is signed.

So anybody getting a copy of my Thunderbird profile can sign mails in my name.

...and anyone getting a copy of your harddisk content (including your Thunderbird profile) can do a lot worse things in your name anyway? Which strange sense of safety would a password protection fulfill, uncovered by harddisk encryption and a user account password on a system level?

You can set a master password, which gives you some protection against accidental leakage of your key files.
https://support.mozilla.org/en-US/kb/openpgp-thunderbird-howto-and-faq#w_how-is-my-personal-key-protected

If you need stronger protection, you can encrypt your hard disk and lock your computer account.

If you need individual passphrases on keys, you could use external gnupg, as described in our smartcard howto.
See also bug 1679278.

Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE

(In reply to Andre Klapper from comment #1)

So anybody getting a copy of my Thunderbird profile can sign mails in my name.

...and anyone getting a copy of your harddisk content (including your Thunderbird profile) can do a lot worse things in your name anyway? Which strange sense of safety would a password protection fulfill, uncovered by harddisk encryption and a user account password on a system level?

"Well if they're going to break into your home anyway, why do you need to lock your lockbox?"

You make a huge assumption that the password for the PGP key is on the device, "Pretty Good Privacy" is a misnomer -- it is VERY good privacy, due to it's Asymmetrical build and and is virtually impossible to break without the correct keys, which in turn are protected by a passphrase, yet this is entirely undermined by Thunderbuird 78 not requiring a passphrase but instead supplying its own in an arbitary fashion, at any time the application is running.

"The private key must always be stored securely. If hackers do not have the private key, it will take years for them to crack a PGP-encrypted message." This is why the private key is protected with a passphrase, typically gnuPGP accepts passphrases encrypted upto and above 4096-bits which will tend towards being impossible to brute force. Unlike Thunderbird which unlocks the key apparently virtually any time the application is open and running.

You need to log in before you can comment on or make changes to this bug.