[HN Gopher] Thunderbird stored OpenPGP secret keys without maste...
___________________________________________________________________
Thunderbird stored OpenPGP secret keys without master password
protection
Author : mritzmann
Score : 32 points
Date : 2021-05-20 21:25 UTC (1 hours ago)
(HTM) web link (www.mozilla.org)
(TXT) w3m dump (www.mozilla.org)
| skittlesmcgee wrote:
| Thanks alot, Mozilla!
| xbar wrote:
| Because NetScape needed to learn this lesson again.
| akerl_ wrote:
| Am I reading correctly that ~"GPG private keys were stored
| unencrypted" and ~"messages could be modified to include non-
| encrypted chunks, which the client displayed without indicating
| the distinction" both count as low-severity?
| treve wrote:
| I'm a novice at security, but shouldn't the correct fix be to
| force the user to revoke the keys?
| edoceo wrote:
| Yes. Keys compromised? Suspect compromise? Rotate. I think a
| good policy is to get in the habit of rotation.
| ben0x539 wrote:
| It's a good policy, but I don't think it would work well as
| something _forced_ on users.
| edoceo wrote:
| Oh yes, like Novell default policy to change password every
| 90 days. So many help desk calls.
| u801e wrote:
| Would this only affect keys that don't have an associated
| passphrase that's used to decrypt them?
| jokoon wrote:
| Well it's not ideal, but it assumes the computer it is stored on
| is securely protected, so Thunderbird would not be the weakest
| link here.
|
| Protecting this key would require to ask a password to the user.
|
| By default there are none, but users who use gpg are aware of
| security and would generally set a master password.
| trashcan wrote:
| > The master password protection was inactive for those keys.
|
| Or do you mean setting a master password for the key itself
| outside of Thunderbird?
___________________________________________________________________
(page generated 2021-05-20 23:01 UTC)