Open Bug 1802283 Opened 1 year ago Updated 11 months ago

Investigate using a separate passwords store for Thunderbird sync

Categories

(Thunderbird :: General, task)

Tracking

(Not tracked)

People

(Reporter: darktrojan, Unassigned)

References

(Blocks 1 open bug)

Details

If we share the passwords store that Firefox uses, and a user has Sync set up in both Firefox and Thunderbird, they will be able to see passwords from Firefox in Thunderbird and vice versa. This isn't necessarily a problem but it may be unexpected for the user.

From a security POV, if we don't share the password store, even if it's just by renaming the collection, it becomes harder for an attacker in one product to do damage in the other.

This bug is about finding one or more feasible ways to use a separate password store.

Using a different collection name seems the only option I can see here, at least until we enable some of the other longer-term options around different keys that we've been discussing. A new name should be quite simple and shouldn't have unintended side-effects anywhere.

(In reply to Geoff Lankow (:darktrojan) from comment #0)

From a security POV, if we don't share the password store, even if it's just by renaming the collection, it becomes harder for an attacker in one product to do damage in the other.

TBH I don't think that's true - an attacker would probably still be able to get their hands on either. It would make simple mistakes less likely to be damaging between the products though.

Assignee: geoff → nobody
Status: ASSIGNED → NEW
You need to log in before you can comment on or make changes to this bug.