On 27/05/2021 10.12, -pj wrote:
On 5/26/21 3:46 PM, Carlos E. R. wrote:
On 5/26/21 5:53 AM, Carlos E. R. wrote:
On 26/05/2021 12.47, Carlos E. R. wrote:
On 26/05/2021 10.25, David C. Rankin wrote:
Icarus moment: Mozilla Thunderbird was saving OpenPGP keys in
El 2021-05-26 a las 13:24 -0500, David C. Rankin escribió: plaintext after
encryption snafu
Cockup has since been patched in latest release 6 Comments
https://go.reg.cx/tdml/dfd67/60d51c7f/70bba22e/3ZNf
Gives me the shivers about ever updating....
Yeah :-(
And we have a vulnerable version, 78.10.0
Curious this was marked as "Minor" security impact. That's like saying your disk encryption wasn't working making your drive readable by anyone with access -- but since that requires physical control -- it's minor.
I guess with Tbird, you presumably would have to authenticate with your Linux user account before your e-mails were read.
Again, not a problem to someone with access. Take the disk, mount it on another computer, and just read the mail files - if not encrypted.
Access while encrypted and running? Yes, also possible. There is a bug in XFCE that somehow doesn't kick the screensaver when the machine is iddle of hibernated, meaning that for example the laptop can be hibernated: steal it, start it, and you are in, no password protects the desktop. Not if there is no battery in it.
No battery needed if the machine is hibernated (to disk). I did not say "suspended", which is to RAM. When it recovers there is no password asked, because the screensaver daemon was never started. -- Cheers / Saludos, Carlos E. R. (from 15.2 x86_64 at Telcontar)