Closed Bug 1977346 Opened 1 month ago Closed 9 days ago

gpg keys are stored unlocked / use third parties key store

Categories

(MailNews Core :: Security: OpenPGP, defect)

Product:
MailNews Core
Component:
Security: OpenPGP
Version:
Thunderbird 140
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1977351

People

(Reporter: mozom23kqi362her, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0

Steps to reproduce:

scenario 1 :
imported private gpg key in account settings (it asked for password)
closed thunderbird
re-open thunderbird and wrote an email
scenario 2 :
after some time (1h) openened an encrypted draft or an encrypted received email
scenario 3:
export a saved key without having to unlock anything (can be done with a copy of profile... on another computer) if $HOME directory is compromised (GPG store and ssh store are safe regarding this issue)

Actual results:

scenario 1 :
the password isn't asked either when saving the encrypted draft or when sending the message => the key is stored unlocked

scenario2 :
the password isn't asked, even if thunderbird is closed (so no "unlocked into memory" key) => the key is stored unlocked

scenario 3:
I saved the key, re-imported it on another thunderbird account, be able to sign a forged message....

Expected results:

the behavior should be like OpenKeyChain on android : I can select if I want the keys to be unlocked once, for some time (1h), for session time....

I find also annoying to maintain keys "duplicated" : the keys are already securely stored into gpg (seen by seahorse) and thunderbird seems to have it's own builtin "openPGP" store => duplicating information is BAD and error prone (changing keys for example)

the current behavior is HIGHLY unsafe, anyone gaining access to the account can launch thunderbird and can :

  • send authenticated email !!!!!!!!
  • export secret keys !!!!!!!! OMG!!!! (just go to accounts, manage identities, modify a gpg protected account, go to end-to-end encryption, gpg manager, select a private key pair, save private key... will be prompted for a password to ascii armor the key, that the intruder can enter at will... so saving the keys to re-import elsewhere...
    without having to enter anything! no password prompt, no key unlock prompt.... this a MAJOR security flaw

=> keys MUST be kept LOCKED, user MUST be asked if he wants to keep the key unlocked and how long
=> keystore must be selectable (GPG on linux should be selectable instead of openPGP) (gpg-agent allow to select how long to keep the credential unlocked)

Component: Untriaged → Security: OpenPGP
Product: Thunderbird → MailNews Core

see https://bugzilla.mozilla.org/show_bug.cgi?id=1977351 for some discussion about this issue
it seems that

  • by default the master password mode is used, BUT the user is never prompted to enter one, so I wasn't even aware that there is a masterpassword, and master password isn't activated by default => the user believe that the pgp imported key is protected somehow....
  • See bug 1679278
    and https://thunderbird.topicbox.com/groups/e2ee/Tdc427a8b0255b85a-M4db1a36a093cb3486c5149c8
    so setting mail.openpgp.passphrases.enabled to true and not forgetting to check the checkbox (easy to not see it....) allow to store the gpg password protected but bug 1834577 still need to get implemented to be usefull
  • I tried to use the gpg external mode setting mail.openpgp.allow_external_gnupg to true :
    I now have the possibility to register a "external GPG key" : I entered the key finger print found in gpg --list-keys,
    the key now listed is the first subkey (say 0x1023456789AB for the example) . So there is some communication with gpg
    BUT when I try to write a message, save it as encrypted draft, it gives me an error "key 0x1023456789AB" isn't configured
    looking at the first subkey it's only "sign and certificate type", the "cipher" key is the second key

in fact the problem is that no security is the default behavior, and that the user isn't ever informed that there is security to enable (master password etc...) and that the external GPG mode isn't working

I would like not to multiply keystore : duplicating keys opens security issues, make it difficult to have all setups correctly secured. mail.openpgp.allow_external_gnupg to true should be set by default (the user then have the choice to use the thunderbird openpgp or to use the external gpg) but this means that this mode works

I think this is all covered by the bug 1977351 discussions.

There were/are many technical aspects that make sharing keystore not feasible.

Group: mail-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 9 days ago
Duplicate of bug: 1977351
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.