Closed Bug 1722601 Opened 1 year ago Closed 1 year ago

Thunderbird does not ask for passphrase for keys used


(MailNews Core :: Security: OpenPGP, defect)



(Not tracked)



(Reporter: ok34, Unassigned)


User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:90.0) Gecko/20100101 Firefox/90.0

Steps to reproduce:

Migrated to Thunderbird 78, migrating my keys from Enigmail (Linux Mint 19.0 Tara)

Actual results:

During the cause of the migration, I was asked to enter the passphrase for the two keys I use.
a) My setting (to sign all e-mails with the two keys) was not migrated. This could be rectified.
b) Now I am never asked to enter the passphrase when I send out e-mails.

Expected results:

The passphrase MUST be verified each and every time the keys are used. Everything else is just a security vulnerability. Passphrases are part of key security architecture.

It opens everyone who does not use a master password on his/her e-mail client to identity fraud by enabling users who have access to the computer and account to use signing keys for which they do not know the necessary passphrase(s) - which are a vital element of securing keys against illegitimate use.

Those passphrases are still inside the keys, but Thunderbird ignores them.

This makes it impossible to use Thunderbird for dual use: Allow every legimate logged-in user to send unsigned e-mails, but restrict the sending of signed e-mails to those persons who know the necessary passphrases.

Makes sense, thanks Oliver! You're not the only one to request this.

Closed: 1 year ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1679455
Component: Untriaged → Security: OpenPGP
Product: Thunderbird → MailNews Core

Let me get this right - you mean when there are "users who have access to the computer and account" ( I guess with account you mean thunderbird mail account?) this is ok, as long they cannot access the TB OpenPGP private keys?

Those users still can still send unsigned mails and read all sent/received clear text mails.

I would think the first step to prevent mail fraud (be it signed or unsigned) is to restrict access to the computer and thunderbird mail account so that every valid user has it's own computer username login and thunderbird mail account respectively, and possibly hard disk encryption.

"Sharing" TB and authenticate valid users by the knowledge of different TB OpenPGP private keys is not the way I think.

You need to protect TB first. TB master password is not strictly required for that, but it's not bad to use a master password, still.

Please describe your concrete use case for the "dual use" you described, so people here can understand better your issue.

(In reply to Arvidt from comment #3)

Please describe your concrete use case for the "dual use" you described, so people here can understand better your issue.

Oliver, that would be interesting for us to better understand your scenario indeed.

Flags: needinfo?(ok34)

Well, thanks for contacting me :-)

My use case is that I have several mailing accounts inside Thunderbird, two of them being extra secured: My business account and my really personal account (I have some that are slightly in between the two: These are "disposable", meaning, when they receive increasing numbers of spam, I will just deactivate them).

My business account is not used for "run of the mill" contacts, it's strictly business, with partners I know and trust, and they trust me. My personal account is the same, just not business. If these accounts would see identity theft it would really hurt me. That is why I secured them with passphrases more than a decade ago. Thunderbird will cryptographically sign all e-mail that go out from those, and therefore Enigmail always prompted for the passphrase when sending out a mail (with a grace period of a couple of minutes in which passphrases will not be asked for a second time).

I do not secure Thunderbird (or Mozilla) with a master password, because I find it enervating to have to enter this every time I start up mail or browser. I do have my OS account (on Linux Mint) secured by a password, but usually I enter that only once a day. When I have guests, they are free to use mail or browser.

I don't mind when they use one of the disposable addresses, but they can't use the accounts that are secured - because they don't know the passphrases.

This personal scenario with friends in my point of view would be applicable also to families. I know no family where family members would log in and out on OS level to strictly separate data and accounts, as a business would certainly do.

This leads to all family members using one family mail client or browser! But it would certainly not be desirable if the kids would be enabled to send out certified mails (!) bearing the digital signature of the parents... In such a scenario, were a family shares the OS account but has separated mail accounts, passphrases would be the method of choice to secure the digital identity of those who wish to do so without making the bothersome lock-up of the PC with personal accounts for everyone with constant logging in and out...

Another point I would like to raise is that this grave difference in behaviour between Thunderbird and Enigmail comes undocumented. Users importing their Open PGP keys are not being warned that the two times they have to enter the passphrases for the import will forever be the last times those passphrases will get verified!

I do see that for some users it might be desirable not having to enter passphrases. This leads me to the feature request that passphrase verification be made an option (with default on). Let the users decide. But if someone created a passphrase, I believe it is unlikely that such a user doesn't care about that passphrase in the future...


Flags: needinfo?(ok34)

(In reply to Arvidt from comment #2)

Those users still can still send unsigned mails and read all sent/received clear text mails.

Yes. That is in the responsibility of the owner of the OS account. That someone could read his/her mail.

But NO ONE could use a logged in OS session to fraudulently pretend he or she IS the owner of the OS account.

Cryptographic signing means assuring the recipient of the mail that it verifiedly came only from the legimate owner. If the verification that is part of Open PGP, the verification of the passphrase that was created by the owner with the intent to secure his digital identity, gets bypassed by Thunderbird, this creates a security hole...

You need to log in before you can comment on or make changes to this bug.