[openpgp] Thunderbird Writing Private Key Pass Phrases to Disk

openpgp@couldbe.nulluser.com Fri, 27 November 2020 22:23 UTC

Return-Path: <openpgp@couldbe.nulluser.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id A4EB23A07D1 for <openpgp@ietfa.amsl.com>; Fri, 27 Nov 2020 14:23:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id GMPOwqpXY4Ig for <openpgp@ietfa.amsl.com>; Fri, 27 Nov 2020 14:22:58 -0800 (PST)
Received: from mailhost.cotse.com (mail.cotse.net []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AFC843A07D7 for <openpgp@ietf.org>; Fri, 27 Nov 2020 14:22:58 -0800 (PST)
Received: from out.packetderm.com (out.packetderm.com []) by mailhost.cotse.com (8.15.2/8.14.5) with ESMTPS id 0ARMMuVj073215 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <openpgp@ietf.org>; Fri, 27 Nov 2020 17:22:57 -0500 (EST) (envelope-from openpgp@couldbe.nulluser.com)
Received: from localhost (localhost[]) (authenticated bits=0) by smtp (5.7.4/5.7.4) with ESMTPSA id 0ARMMuOg022736 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <openpgp@ietf.org>; Fri, 27 Nov 2020 17:22:56 -0500 (EST) (envelope-from openpgp@couldbe.nulluser.com)
To: openpgp@ietf.org
From: openpgp@couldbe.nulluser.com
Message-ID: <MTAwMDAzOC5jb3VsZGJl.1606515776@quikprotect>
Date: Fri, 27 Nov 2020 16:22:55 -0600
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/IhrKEQtZDyY5U3wcbV9Nrgoy26Q>
X-Mailman-Approved-At: Fri, 27 Nov 2020 15:14:50 -0800
Subject: [openpgp] Thunderbird Writing Private Key Pass Phrases to Disk
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Nov 2020 22:29:06 -0000

This seems so fundamentally wrong I'm having trouble understanding why the developer insists on doing it.


PGP passwords should not be stored on disk. (Security Issue)


Keeping PGP Private Key Passwords in memory per session is reasonable but saving them for automatic decryption along 
with account passwords is NOT!

There is a big difference in expected privacy and security levels between an account password and a PGP Private Key 

PGP passwords should not reside on disk anywhere! By rights, they should also be explicitly purged from memory upon 
exiting Thunderbird.

Actual results:

Private PGP key automatically accessed without having to enter password after first use.

Expected results:

PGP Private Key Password should be solicited for manual entry upon every session.

PGP Private Key Password should reside only in memory per session.

PGP Private Key Password should be explicitly wiped from memory upon Thunderbird exit.

PGP passwords should not be stored on disk. (Security Issue)


Using the master password will give you that. (See bug 1662272).
Of course, if you really care about what's written to disk, you should not rely on that, but use full disk encryption.
Closed: 1 hour ago
Resolution: --- → INVALID


No the master password does NOT "give me that," you are degrading security!

OpenPGP already has a strong security mechanism in the form of a Private Key Pass Phrase. Normal use of PGP/GPG/OpenPGP 
never involves writing that private key pass phrase to disk.

Thunderbird's implementation of writing that secret pass phrase to disk is a violation of all defined best practice. 
Arguing that this violation can be compensated for via additional work arounds such as full disk encryption is specious. 
Simply stop degrading security!

First -- I do not want ALL of my secure email unlocked and exposed everytime I run Thunderbird.

Second -- Full disk encryption only provides protection to dead systems. The drive is effectively decrypted while in use 
and it's contents are subject to the same live access as any other drive.

Third -- The Master password groups everything together at the same level. PGP Private keys demand a considerably higher 
level of security than access to Youtube or Reddit.

Fourth -- People have more than one Private Key. Recording all the private key pass phrases together yet again degrades 

Ironically this doesn't require custom code development, Thunderbird already does the proper thing if there is no known 
private key. Simply remove the extra code that subverts everything by saving the Pass Phrase. Why are you working so 
hard to do the wrong thing?