PGP TB78 Needs to Force user to confirm key's and encryption before sending and reading
Categories
(Thunderbird :: Security, defect)
Tracking
(Not tracked)
People
(Reporter: martin, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0
Steps to reproduce:
Thunderbird 78.5
SUMMARY:
With TB68 and Enigmail installed, I would need to manually enter the password to enable Decryption of PGP emails (for 5 minutes timeframe) and for Confirmation of sending PGP emails.
REASON: This confirmed that I and only I was the person sending and reading these emails, even if others used TB or the machine was shared.
WHAT HAPPENS NOW:
With TB78 There is no option to confirm my password, so anyone on my TB account can send encrypted emails or read encrypted emails, if for instance my PC is stolen and the windows login password is breached (which, lets face it isn't that hard) then anyone can access my encrpyted emails on Thunderbird and send encrypted emails pretending to be me. This is unsafe.
Perhaps there is an option in the TB About:Config but I can't see anything that suggests such. If it does exist in the system already please advise how to activate this additional onion skin.
Actual results:
WHAT HAPPENS NOW:
With TB78 There is no option to force confirm my password, so anyone on my TB account can send encrypted emails or read encrypted emails, if for instance my PC is stolen and the windows login password is breached (which, lets face it isn't that hard) then anyone can access my encrpyted data on Thunderbird. This is unsafe.
Expected results:
As with Kleopatra, the encryption software supplied with Enigmail, to do any Encryption or Decryption, the password prompt is presented to ensure that the person using the machine is the person who knows the password and so only the trusted person can encrypt files. etc. etc.
To clarify the Expected results: A user should be able to set a desired timeframe and then be prompted to enter their key password(s) which are then saved for this timeframe, so when opening TB I open a PGP encrypted email then am prompted to enter my Key password and then TB accepts PGP communications for 5/10/15minutes (set in the settings). This is how Enigmail worked and was secure so that even if the device or Thunderbird was compromised (unless with this very small timeframe) the PGP data was still relatively safe.
|
||
Comment 2•3 years ago
|
||
(In reply to Martin from comment #0)
REASON: This confirmed that I and only I was the person sending and reading these emails, even if others used TB or the machine was shared.
You realize that just lost you that game? If others can do what they want with the machine obtaining your password is very simple. Asking for a password won't help with that. If you care about security, you need to have a secure setup.
(In reply to Magnus Melin [:mkmelin] from comment #2)
(In reply to Martin from comment #0)
REASON: This confirmed that I and only I was the person sending and reading these emails, even if others used TB or the machine was shared.
You realize that just lost you that game? If others can do what they want with the machine obtaining your password is very simple. Asking for a password won't help with that. If you care about security, you need to have a secure setup.
*** This bug has been marked as a duplicate of bug 1679278 ***
Yes, in simplified summary, but security is onion skins: Thunderbird should not assume just because my OS password has been supplied that the person viewing my PGP emails is the same person who wrote or was the receipient of the PGP emails.
The current Keys on TB78 are from Enigmail, but using Enigmail these keys were only used when my user-set password was used, confirming that the keys are authorised. Can ThunderBird implement this authorisation? If not, how come?
Thanks
(In reply to Magnus Melin [:mkmelin] from comment #2)
(In reply to Martin from comment #0)
REASON: This confirmed that I and only I was the person sending and reading these emails, even if others used TB or the machine was shared.
You realize that just lost you that game? If others can do what they want with the machine obtaining your password is very simple. Asking for a password won't help with that. If you care about security, you need to have a secure setup.
*** This bug has been marked as a duplicate of bug 1679278 ***
Further reading of this you completely misunderstand.
The password for my PGP key is in my head. It's only in my head. So why should someone else who has access to my Thunderbird application also have access to my PGP communications without even the option for any authentication mechanism? Why should Thunderbird assume that we are the same people?
|
|
||
Comment 5•3 years ago
|
||
I think you're mixing up concepts that will not play together. Give someone else access to your account and even the application, you're more or less doomed anyway (why wouldn't they just install a key logger etc., maybe an add-on that would pop up a similar dialog)?. Sure, it's an onion, but by doing this you've pealed off enough layers that it doesn't make much sense to try do anything more. It's just pretend security.
(In reply to Magnus Melin [:mkmelin] from comment #5)
I think you're mixing up concepts that will not play together. Give someone else access to your account and even the application, you're more or less doomed anyway (why wouldn't they just install a key logger etc., maybe an add-on that would pop up a similar dialog)?. Sure, it's an onion, but by doing this you've pealed off enough layers that it doesn't make much sense to try do anything more. It's just pretend security.
Let's run with a scenario that you describe... someone has physical access to my device, there are two broad paths forward:
- That person opens my Thunderbird and can then proceed to send secured PGP emails on my behalf and read PGP emails aimed for me. Thunderbird presents no ability to limit this in any form, making it an instant access.
Thunderbird does have a Master Password rountine but this doesn't work correctly at present (doesn't request password unless user enters options menu; presents all PGP emails without any authentication)
- Thunderbird employs a PGP passphrase as per usual with every other well regarded PGP using implementation (GNUPGP / Kleopatra / etc. ), so someone has access to the device, they can load Thunderbird, they can view plaintext emails but they need the passphrase to access PGP emails. This is not present on the system.
Yes, perhaps they need to install a keylogger, perhaps they can install a remote camera behind my desk to view my fingers as I type.... but this all takes extra time (not least brute forcing the PGP passphrase which is inviable) and extra commitment and has a much wider opening to a) being discovered and b) used as evidence for reprimand, whereas currently the unauthorised person only needs a few seconds on Thunderbird to read or to forward encrypted emails.
Now, which of these two above methods would you prefer for yourself?
In addition, unfortunately your comments seem to run on the issue of 'security' rather than the issue of 'authentication'. To have a passphrase for PGP AUTHENTICATES that the genuine user can send and read emails, rather than just anyone on the device. It correlates the PGP Key with the key's legitimate owner, as well as providing a slowing mechanism for any attempts to breach this security (as outlined in scenario 2, above).
|
|
||
Comment 7•3 years ago
|
||
IIRC if you're using the master password you'll not be able to use the key to create new. Previously decrypted may be viewable.
Anyway, how about option 3: don't give access to the account unless you want others to have access?
|
||
Comment 8•3 years ago
|
||
Martin,
what we offer is the master password mechanism. If you enable it, your keys on disk are protected.
(In reply to Martin from comment #6)
Thunderbird does have a Master Password rountine but this doesn't work correctly at present (doesn't request password unless user enters options menu; presents all PGP emails without any authentication)
I don't understand this claim.
If you have a master password set, at the time Thunderbird is started, you are asked to enter it. If the user doesn't enter it, then Thunderbird cannot decrypt messages and cannot create new signatures.
It is true that we don't support a timeout while Thunderbird is running. If you want to ensure that no casual person accessing your computer can use your keys, you must quit Thunderbird or lock your computer.
(In reply to Kai Engert (:KaiE:) from comment #8)
Martin,
what we offer is the master password mechanism. If you enable it, your keys on disk are protected.
(In reply to Martin from comment #6)
Thunderbird does have a Master Password rountine but this doesn't work correctly at present (doesn't request password unless user enters options menu; presents all PGP emails without any authentication)
I don't understand this claim.
If you have a master password set, at the time Thunderbird is started, you are asked to enter it. If the user doesn't enter it, then Thunderbird cannot decrypt messages and cannot create new signatures.
It is true that we don't support a timeout while Thunderbird is running. If you want to ensure that no casual person accessing your computer can use your keys, you must quit Thunderbird or lock your computer.
Hi Kai, thanks for your feedback. I created a bug https://bugzilla.mozilla.org/show_bug.cgi?id=1680231 that outlines the issue; that when Thunderbird firstloads, the Master Password dialog is not presented until the "Password" Options area is accessed. Without the Master Password field presenting itself, the PGP emails within the mailer are default decrypted, so my master password is not needed to view PGP emails.
Once the options --> view passwords area is accessed the Master Password dialogue deploys and then even after closing and reopening Thunderbird it presents on loading as expected.
Thanks.
Description
•