On 16/09/2020 10.30, David C. Rankin wrote:
On 9/14/20 1:53 PM, Martin Wilck wrote:
Q: "How is my personal key protected?" A: "At the time you import your personal key into Thunderbird, we unlock it, and protect it with a different password, that is automatically (randomly) created. [..] You should use the Thunderbird feature to set a Master Password. Without a master password, your OpenPGP keys in your profile directory are unprotected."
Holy 5hi4!
That is indeed a showstopper. I wonder how many folks that will catch by surprise? But thank you Martin for bringing that forward. Why is Tbird bringing your GPG keys in and then storing them in a directory outside of .gnupg and duplicating what GPG does instead of using an gpg agent or some sort know way to just access your GPG keys for use.
They seem to have rewritten the entire thing :-(
This seems like 2-steps backwards is security. Steal laptop -- look in thunderbird profile, if no Master Password, scrape keys to the kingdom...
It is backwards in several senses. Of course I use a master password with both Firefox and Thunderbird (to keep the connection passwords to servers), but I'm used to have a different password to sign an email, which is something serious. -- Cheers / Saludos, Carlos E. R. (from 15.1 x86_64 at Telcontar)