[HN Gopher] Thunderbird stored OpenPGP secret keys without maste... ___________________________________________________________________ Thunderbird stored OpenPGP secret keys without master password protection Author : mritzmann Score : 32 points Date : 2021-05-20 21:25 UTC (1 hours ago) (HTM) web link (www.mozilla.org) (TXT) w3m dump (www.mozilla.org) | skittlesmcgee wrote: | Thanks alot, Mozilla! | xbar wrote: | Because NetScape needed to learn this lesson again. | akerl_ wrote: | Am I reading correctly that ~"GPG private keys were stored | unencrypted" and ~"messages could be modified to include non- | encrypted chunks, which the client displayed without indicating | the distinction" both count as low-severity? | treve wrote: | I'm a novice at security, but shouldn't the correct fix be to | force the user to revoke the keys? | edoceo wrote: | Yes. Keys compromised? Suspect compromise? Rotate. I think a | good policy is to get in the habit of rotation. | ben0x539 wrote: | It's a good policy, but I don't think it would work well as | something _forced_ on users. | edoceo wrote: | Oh yes, like Novell default policy to change password every | 90 days. So many help desk calls. | u801e wrote: | Would this only affect keys that don't have an associated | passphrase that's used to decrypt them? | jokoon wrote: | Well it's not ideal, but it assumes the computer it is stored on | is securely protected, so Thunderbird would not be the weakest | link here. | | Protecting this key would require to ask a password to the user. | | By default there are none, but users who use gpg are aware of | security and would generally set a master password. | trashcan wrote: | > The master password protection was inactive for those keys. | | Or do you mean setting a master password for the key itself | outside of Thunderbird? ___________________________________________________________________ (page generated 2021-05-20 23:01 UTC)