privacyguides/privacytools.io
Archived
1
0
Fork 0
Code Issues 304 Pull Requests 47 Activity

📝 Correction | Warn that Thunderbird stores OpenPGP keys unprotected unless master password is used #2120

New Issue
Open
opened 2020-11-09 08:26:17 +00:00 by Mikaela · 4 comments
Mikaela commented 2020-11-09 08:26:17 +00:00 (Migrated from github.com)
Copy Link

Description

This is related to https://github.com/privacytools/privacytools.io/issues/2072 and could be addressed in https://github.com/privacytools/privacytools.io/pull/1990.

Previously Enigmail used GPG's keyrings that were protected, but now that Thunderbird has its own keystore, it will set passwords as random on import and not protect keys unless a master password is used.

How is my personal key protected?

At the time you import your personal key into Thunderbird, we unlock it, and protect it with a different password, that is automatically (randomly) created. The same automatic password will be used for all OpenPGP secret keys managed by Thunderbird. You should use the Thunderbird feature to set a Master Password. Without a master password, your OpenPGP keys in your profile directory are unprotected.

Why I am making the suggestion

I asked in the PrivacyTools Dev Matrix room if I should make a suggestion about this as I had previously noted it in the forum discussion. I wish to help others not fall into pitfalls that I have found and I imagine the master password feature (especially in Firefox though) may not be too popular amongst PrivacyTools users as they may be using FDE or separate password databases (like I do).

Currently there are no warnings about Thunderbird.

My connection with the software

I am a long time user of Thunderbird and previously Enigmail.

  • I will keep the issue up-to-date if something I have said changes or I remember a connection with the software.
## Description This is related to https://github.com/privacytools/privacytools.io/issues/2072 and could be addressed in https://github.com/privacytools/privacytools.io/pull/1990. Previously Enigmail used GPG's keyrings that were protected, but now that Thunderbird has its own keystore, it will set passwords as random on import and not protect keys unless a master password is used. > How is my personal key protected? > > At the time you import your personal key into Thunderbird, we unlock it, and protect it with a different password, that is automatically (randomly) created. The same automatic password will be used for all OpenPGP secret keys managed by Thunderbird. *You should use the Thunderbird feature to set a Master Password*. <strong><em>Without a master password, your OpenPGP keys in your profile directory are unprotected. </em></strong> * From https://support.mozilla.org/kb/openpgp-thunderbird-howto-and-faq#w_how-is-my-personal-key-protected with my emphasis and which I think you may wish to read other sections too. Emphasis mine. ## Why I am making the suggestion I asked in the PrivacyTools Dev Matrix room if I should make a suggestion about this as [I had previously noted it in the forum discussion](https://forum.privacytools.io/t/discussion-thunderbird/659/2?u=mikaela). I wish to help others not fall into pitfalls that I have found and I imagine the master password feature (especially in Firefox though) may not be too popular amongst PrivacyTools users as they may be using FDE or separate password databases (like I do). Currently there are no warnings about Thunderbird. ## My connection with the software I am a long time user of Thunderbird and previously Enigmail. - [x] I will keep the issue up-to-date if something I have said changes or I remember a connection with the software.
👍 2
HorlogeSkynet commented 2020-11-09 10:44:20 +00:00 (Migrated from github.com)
Copy Link

Hi everyone !

Unfortunately, it looks like there is not any preference to "force" the user to set/choose a master password for their profile, so I cannot even add it to https://github.com/HorlogeSkynet/thunderbird-user.js (cc @dngray) as a hardening good practice.
Maybe it's time to fill up a feature request to Mozilla ?

Hi everyone ! Unfortunately, it looks like there is not any preference to "force" the user to set/choose a master password for their profile, so I cannot even add it to <https://github.com/HorlogeSkynet/thunderbird-user.js> (cc @dngray) as a _hardening_ good practice. Maybe it's time to fill up a feature request to Mozilla ?
dngray commented 2020-11-09 10:59:05 +00:00 (Migrated from github.com)
Copy Link
  • authors: v52+ github | v51- www.ghacks.net

Authors were never ghacks.net. github.com/ghacks was not the same thing, was a customary name. It would be appropriate to rename it arkenfox for the credit bit there.

> * authors: v52+ github | v51- www.ghacks.net Authors were never ghacks.net. github.com/ghacks was not the same thing, was a customary name. It would be appropriate to rename it arkenfox for the credit bit there.
HorlogeSkynet commented 2020-11-09 13:13:26 +00:00 (Migrated from github.com)
Copy Link

Fair enough Daniel.
Actually, I didn't change that since the ownership transfer, precisely for copyright reasons 😅

[...]
894ae0d (Samuel FORESTIER Sun Nov 08 17:49:56 2020) * version: v78-beta4
^7973d8a (Daniel Gray Sun Nov 24 01:00:00 2019) * authors: v52+ github | v51- www.ghacks.net
d78aa86 (Samuel FORESTIER Sun Nov 24 11:59:26 2019) * url: https://github.com/HorlogeSkynet/thunderbird-user.js
[...]

Fair enough Daniel. Actually, I didn't change that since the ownership transfer, precisely for copyright reasons :sweat_smile: > [...] > 894ae0d (Samuel FORESTIER Sun Nov 08 17:49:56 2020) * version: v78-beta4 ^7973d8a (Daniel Gray Sun Nov 24 01:00:00 2019) * authors: v52+ github | v51- www.ghacks.net d78aa86 (Samuel FORESTIER Sun Nov 24 11:59:26 2019) * url: https://github.com/HorlogeSkynet/thunderbird-user.js > [...]
dngray commented 2020-11-26 06:12:02 +00:00 (Migrated from github.com)
Copy Link

I decided not to fix this issue as a part of https://github.com/privacytools/privacytools.io/pull/1990 this will need a PR.

I decided not to fix this issue as a part of https://github.com/privacytools/privacytools.io/pull/1990 this will need a PR.
👍 1
This repo is archived. You cannot comment on issues.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
🔍🤖 Search Engines
approved
approved, waiting for a PR
dependencies
Pull requests that update a dependency file
duplicate
feedback wanted
high priority
I2P
The Invisible Internet Project (I2P)
iOS
low priority
OS
Operating Systems
Self-contained networks
Social media
stale
A label for stalebot if it gets added
streaming
Anything related to media streaming.
todo
Tor
Anything covering the Tor network
WIP
active work in progress, do not merge or PR (yet)!
wontfix
Issues or bugs that will not be fixed and/or do not have significant impact on the project.
XMPP
Extensible Messaging and Presence Protocol
[m]
Matrix protocol
₿ cryptocurrency
ℹ️ help wanted
↔️ file sharing
⚙️ web extensions
Browser Extension related issues
enhancement
software removal
💬 discussion
🤖 Android
🐛 bug
💢 conflicting
📝 correction
Correction of content on the website
🆘 critical
📧 email
🔒 file encryption
📁 file storage
🦊 Firefox
Firefox & forks, about:config etc.
💻 hardware
🌐 hosting
🏠 housekeeping
Anything primarily related to site cleanup.
🔐 password managers
🧰 productivity tools
🔎 research required
🌐 Social News Aggregators
🆕 software suggestion
👥 team chat
🔒 VPN
Virtual Private Network
🌐 website issue
*Technical* issues with the website.
🚫 Windows
👁️ browsers
🖊️ digital notebooks
🗄️ DNS
Domain Name System
🗨️ instant messaging (im)
🇦🇶 translations
Anything covering a translated version of the site
No Label
📝 correction
Milestone
No items
No Milestone
Assignees
Clear assignees
jonah
No Assignees
1 Participants
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: privacyguides/privacytools.io#2120
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?