Closed Bug 1679455 Opened 2 years ago Closed 11 months ago

Remove the ability to store OpenPGP passphrases, and prompt the user for the passphrase every time a secret key is used

Categories

(MailNews Core :: Security: OpenPGP, enhancement)

enhancement

Tracking

(Not tracked)

RESOLVED WONTFIX

People

(Reporter: jhg, Unassigned)

References

(Depends on 1 open bug)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0

Steps to reproduce:

Thunderbird opens your keyring on startup and stores your passphrases, so you can sign without entering the passphrase.

This represents a critical security issue, as it means anyone with physical access to your computer can send forged emails as you, signed with your private key. Enigmail by default prompted for a key's passphrase every time it was used. OpenPGP integration supersedes Enigmail (and TB 78 makes Enigmail unusable).

There are several other Bugzilla entries for this, all of which (AFAICT) cavalierly dismiss the issue as "Just lock your computer". This is not well thought out, as there are use cases where people must share a computer.

Simply put, TB OpenPGP integration MUST be configurable to prompt for a private key passphrase every time it is used.

I tend to agree with Jim's postulate, an option to ask for the password every time the key is used isn't too much to ask.
Jim, can you list the other bug numbers which have requested the same (and perhaps were closed)?

Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(jhg)
Whiteboard: [dupeme]
Summary: OpenPGP critical security issue with key passphrases → OpenPGP critical security issue: Need option to request key password every time the key is used (as in Enigmail)

See also bug 1679278.

We wouldn't be able to require that the master password is entered each time related data is used, because that code is shared with Firefox.

So, if we wanted to introduce a "prompt every time an OpenPGP secret key is used", we'd need passwords for OpenPGP keys that are independent of the master password.

Type: defect → enhancement
Depends on: 1679278
Summary: OpenPGP critical security issue: Need option to request key password every time the key is used (as in Enigmail) → Add a configuration option to prompt the user for an OpenPGP passphrase every time a secret key is used
Component: Security → Security: OpenPGP
Product: Thunderbird → MailNews Core

Here are four that were casually dismissed

bug 1678655
bug 1665536
bug 1670806
bug 1667057

The design of this feature (OpenPGP integration) violates numerous important security principles and greatly REDUCES security by storing key passphrases. Private key passphrases should NEVER be stored in any form, anywhere.

For anybody that actually understands PGP and cares about security, this makes Thunderbird completely unusable as a mail client. I have posted a detailed description of the problem to the ACM Risks Forum, expect to receive commentary from security experts.

Flags: needinfo?(jhg)
Summary: Add a configuration option to prompt the user for an OpenPGP passphrase every time a secret key is used → Add a configuration option to prevent storage of OpenPGP passphrases, and prompt the user for the passphrase every time a secret key is used
Summary: Add a configuration option to prevent storage of OpenPGP passphrases, and prompt the user for the passphrase every time a secret key is used → Remove the ability to store OpenPGP passphrases, and prompt the user for the passphrase every time a secret key is used

Note that Thunderbird doesn't store any user assigned passphrases. If the user is importing an existing OpenPGP key, and enters their own passphrase, we'll not store it. Rather, we unlock, and re-encrypt the passphrase with our own random passphrase.

Private key material is always stored encrypted.

The private key material can be automatically unlocked by default, because the unlock key is unprotected, unless the user assigns a master password. This isn't a new design. Thunderbird has always used this approach for storing the private key material of S/MIME certificates.

I'm not sure why this is so hard to understand. Let me describe
two scenarios, and you tell me which one is secure and how they
differ.

Scenario 1 - Plain OpenPGP

I am required to enter the passphrase every time I wish to use it,
either to sign a message or read a message encrypted to me. The only
place in the universe where my passphrase lives is in my head. My
passphrase is long enough (30-40 bytes) that brute force is not an
option. When I enter it in OpenPGP it gets used to temporarily
decrypt my private key and is then erased from memory. I trust that
this happens because OpenPGP is open source, and is constantly being
scrutinized. If there was a bug in that code it would be discovered
and corrected quickly.

Nobody except me can provide the passphrase, meaning nobody can
impersonate me. If my computer is stolen, the thief cannot find the
passphrase stored anywhere, and even though they have my keyring it
is useless without the passphrase.

Scenario 2 - Thunderbird OpenPGP

When I import my private key, TB requests my passphrase, unlocks the
private key and re-locks it with a random passphrase. That new random
passphrase is encrypted symmetrically with another key and stored on
disk. In order to use my private key, TB must be able to decrypt the
stored passphrase, which means the symmetric key is also stored on
disk.

Now, if my computer is stolen, all the thief has to do is set up a VM,
run TB, and step through the code one instruction at a time, looking
for where the symmetric key is used to decipher the passphrase. A
breakpoint at the right place reveals everything.

Sounds really tedious... oh, wait, TB is open-source, so I should be
able to download the source and find that bit of code without much
trouble. My private key is now completely exposed.

TB's implementation has taken what was a mathematically intractable
problem and reduced it to a few hours' work for any experienced hacker.

You describe a scenario, in which stealing a computer is sufficient to get access to the secret key material stored on the computer.
(I assume no disk encryption is used in your scenario.)

You say, if an OpenPGP passphrase is used, which isn't stored on disk, the thief cannot easily access the secret key material. I agree.

Please let's briefly talk about the scenario that the Thunderbird user sets a master password (which protects the symmetric key that is necessary to unlock the key material). Do you agree that a user chosen master password (not stored on disk) provides equivalent security to having an user chosen OpenPGP passphrase?

Surely it's better to provide an encryption option that is excess to requirements than to not provide an encryption option and possibly leave systems vulnerable as described above? ESPECIALLY as:

Thunderbird advertises the security credentials of TB78 with PGP. This will encourage people to use Thunderbird for encrypted email.
EnigMail on TB68 actually did exactly what Jim (et al) is requesting

Please can this ability ( two options: true/false confirm user key pass when requiring PGP decryption using said key, and a timer for how long that windows can be open once a password is successfully given (Enigmail did I think 5,10,15 minute options)).

Please see my bug 1680033

Further to the above, a secondary aspect of Passphrases for PGP Keys on a per-key basis is that to have a passphrase for PGP AUTHENTICATES that the genuine user can send and read emails, rather than just anyone on the device who gains access to Thunderbird. It correlates the PGP Key with the key's legitimate owner, as well as providing a slowing mechanism for any attempts to breach this security.

Repeating my comment in https://bugzilla.mozilla.org/show_bug.cgi?id=1679278 , bringing feedback from a meeting with the Internet Freedom Festival community:

Our Thunderbird user base works on human rights internationally as journalists, NGO employees, and activists. Many of them face arrest or confiscation and search of their devices.

For these users, not being able to depend on a strong unique password they have to enter themselves is literally the difference between life and death or loss of liberty. An attacker could easily confiscate their device and use the access to their email to build a case to keep them in prison or execute them, or pretend to be them, wreaking havoc on the trustworthiness of efforts to protect people worldwide.

We need the option to enter a password to encrypt and decrypt. In a community feedback session, a number of our users reported trusting Thunderbird less when they no longer had that option. Losing this option erodes user trust and is likely to lose Thunderbird a very dedicated userbase.

Duplicate of this bug: 1722601
Whiteboard: [dupeme]
Status: NEW → RESOLVED
Closed: 11 months ago
Resolution: --- → WONTFIX

(In reply to Kai Engert (:KaiE:) from comment #2)

See also bug 1679278.

We wouldn't be able to require that the master password is entered each time related data is used, because that code is shared with Firefox.

So, if we wanted to introduce a "prompt every time an OpenPGP secret key is used", we'd need passwords for OpenPGP keys that are independent of the master password.

No, you don't. Enigmail doesn't have the passphrases for the keys, they are prompted from the user and then immediately used to decode the key and then forgotten...

Please stop thinking of "1 password". Owners of multiple mail accounts that have multiple passphrases are a reality... They can all be simultaneously used in one Thunderbird, because whenever such a secured accounts (from the many the user sets up) is used, the passphrase for that specific account gets prompted, thus securing the accounts the users wants secured WITHOUT taking away the ease to be able to read/write the unsecured accounts without entering any password...

(In reply to Kai Engert (:KaiE:) from comment #4)

Note that Thunderbird doesn't store any user assigned passphrases.

See CVE-2021-29956 ...

You need to log in before you can comment on or make changes to this bug.