Open Bug 1679455 Opened 7 months ago Updated 5 months ago

Remove the ability to store OpenPGP passphrases, and prompt the user for the passphrase every time a secret key is used

Categories

(MailNews Core :: Security: OpenPGP, enhancement)

enhancement

Tracking

(Not tracked)

People

(Reporter: jhg, Unassigned)

References

(Depends on 1 open bug)

Details

(Whiteboard: [dupeme])

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0

Steps to reproduce:

Thunderbird opens your keyring on startup and stores your passphrases, so you can sign without entering the passphrase.

This represents a critical security issue, as it means anyone with physical access to your computer can send forged emails as you, signed with your private key. Enigmail by default prompted for a key's passphrase every time it was used. OpenPGP integration supersedes Enigmail (and TB 78 makes Enigmail unusable).

There are several other Bugzilla entries for this, all of which (AFAICT) cavalierly dismiss the issue as "Just lock your computer". This is not well thought out, as there are use cases where people must share a computer.

Simply put, TB OpenPGP integration MUST be configurable to prompt for a private key passphrase every time it is used.

I tend to agree with Jim's postulate, an option to ask for the password every time the key is used isn't too much to ask.
Jim, can you list the other bug numbers which have requested the same (and perhaps were closed)?

Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(jhg)
Whiteboard: [dupeme]
Summary: OpenPGP critical security issue with key passphrases → OpenPGP critical security issue: Need option to request key password every time the key is used (as in Enigmail)

See also bug 1679278.

We wouldn't be able to require that the master password is entered each time related data is used, because that code is shared with Firefox.

So, if we wanted to introduce a "prompt every time an OpenPGP secret key is used", we'd need passwords for OpenPGP keys that are independent of the master password.

Type: defect → enhancement
Depends on: 1679278
Summary: OpenPGP critical security issue: Need option to request key password every time the key is used (as in Enigmail) → Add a configuration option to prompt the user for an OpenPGP passphrase every time a secret key is used
Component: Security → Security: OpenPGP
Product: Thunderbird → MailNews Core

Here are four that were casually dismissed

bug 1678655
bug 1665536
bug 1670806
bug 1667057

The design of this feature (OpenPGP integration) violates numerous important security principles and greatly REDUCES security by storing key passphrases. Private key passphrases should NEVER be stored in any form, anywhere.

For anybody that actually understands PGP and cares about security, this makes Thunderbird completely unusable as a mail client. I have posted a detailed description of the problem to the ACM Risks Forum, expect to receive commentary from security experts.

Flags: needinfo?(jhg)
Summary: Add a configuration option to prompt the user for an OpenPGP passphrase every time a secret key is used → Add a configuration option to prevent storage of OpenPGP passphrases, and prompt the user for the passphrase every time a secret key is used
Summary: Add a configuration option to prevent storage of OpenPGP passphrases, and prompt the user for the passphrase every time a secret key is used → Remove the ability to store OpenPGP passphrases, and prompt the user for the passphrase every time a secret key is used

Note that Thunderbird doesn't store any user assigned passphrases. If the user is importing an existing OpenPGP key, and enters their own passphrase, we'll not store it. Rather, we unlock, and re-encrypt the passphrase with our own random passphrase.

Private key material is always stored encrypted.

The private key material can be automatically unlocked by default, because the unlock key is unprotected, unless the user assigns a master password. This isn't a new design. Thunderbird has always used this approach for storing the private key material of S/MIME certificates.

I'm not sure why this is so hard to understand. Let me describe
two scenarios, and you tell me which one is secure and how they
differ.

Scenario 1 - Plain OpenPGP

I am required to enter the passphrase every time I wish to use it,
either to sign a message or read a message encrypted to me. The only
place in the universe where my passphrase lives is in my head. My
passphrase is long enough (30-40 bytes) that brute force is not an
option. When I enter it in OpenPGP it gets used to temporarily
decrypt my private key and is then erased from memory. I trust that
this happens because OpenPGP is open source, and is constantly being
scrutinized. If there was a bug in that code it would be discovered
and corrected quickly.

Nobody except me can provide the passphrase, meaning nobody can
impersonate me. If my computer is stolen, the thief cannot find the
passphrase stored anywhere, and even though they have my keyring it
is useless without the passphrase.

Scenario 2 - Thunderbird OpenPGP

When I import my private key, TB requests my passphrase, unlocks the
private key and re-locks it with a random passphrase. That new random
passphrase is encrypted symmetrically with another key and stored on
disk. In order to use my private key, TB must be able to decrypt the
stored passphrase, which means the symmetric key is also stored on
disk.

Now, if my computer is stolen, all the thief has to do is set up a VM,
run TB, and step through the code one instruction at a time, looking
for where the symmetric key is used to decipher the passphrase. A
breakpoint at the right place reveals everything.

Sounds really tedious... oh, wait, TB is open-source, so I should be
able to download the source and find that bit of code without much
trouble. My private key is now completely exposed.

TB's implementation has taken what was a mathematically intractable
problem and reduced it to a few hours' work for any experienced hacker.

You describe a scenario, in which stealing a computer is sufficient to get access to the secret key material stored on the computer.
(I assume no disk encryption is used in your scenario.)

You say, if an OpenPGP passphrase is used, which isn't stored on disk, the thief cannot easily access the secret key material. I agree.

Please let's briefly talk about the scenario that the Thunderbird user sets a master password (which protects the symmetric key that is necessary to unlock the key material). Do you agree that a user chosen master password (not stored on disk) provides equivalent security to having an user chosen OpenPGP passphrase?

Surely it's better to provide an encryption option that is excess to requirements than to not provide an encryption option and possibly leave systems vulnerable as described above? ESPECIALLY as:

Thunderbird advertises the security credentials of TB78 with PGP. This will encourage people to use Thunderbird for encrypted email.
EnigMail on TB68 actually did exactly what Jim (et al) is requesting

Please can this ability ( two options: true/false confirm user key pass when requiring PGP decryption using said key, and a timer for how long that windows can be open once a password is successfully given (Enigmail did I think 5,10,15 minute options)).

Please see my bug 1680033

Further to the above, a secondary aspect of Passphrases for PGP Keys on a per-key basis is that to have a passphrase for PGP AUTHENTICATES that the genuine user can send and read emails, rather than just anyone on the device who gains access to Thunderbird. It correlates the PGP Key with the key's legitimate owner, as well as providing a slowing mechanism for any attempts to breach this security.

You need to log in before you can comment on or make changes to this bug.