On 5/26/21 5:53 AM, Carlos E. R. wrote:
On 26/05/2021 12.47, Carlos E. R. wrote:
On 26/05/2021 10.25, David C. Rankin wrote:
Icarus moment: Mozilla Thunderbird was saving OpenPGP keys in plaintext after encryption snafu
Cockup has since been patched in latest release 6 Comments
https://go.reg.cx/tdml/dfd67/60d51c7f/70bba22e/3ZNf
Gives me the shivers about ever updating....
Yeah :-(
And we have a vulnerable version, 78.10.0
Curious this was marked as "Minor" security impact. That's like saying your disk encryption wasn't working making your drive readable by anyone with access -- but since that requires physical control -- it's minor. I guess with Tbird, you presumably would have to authenticate with your Linux user account before your e-mails were read. So the gist of the bug is all gpg keys you imported with the import wizard after enigmail was ditched were imported unencrypted as plain-text -- up to and including the current version of Tbird. Yikes. -- David C. Rankin, J.D.,P.E.