We knew there was something funny about the new Tbirds and gpg ...
Icarus moment: Mozilla Thunderbird was saving OpenPGP keys in plaintext after encryption snafu Cockup has since been patched in latest release 6 Comments https://go.reg.cx/tdml/dfd67/60d51c7f/70bba22e/3ZNf Gives me the shivers about ever updating.... -- David C. Rankin, J.D.,P.E.
On 26/05/2021 10.25, David C. Rankin wrote:
Icarus moment: Mozilla Thunderbird was saving OpenPGP keys in plaintext after encryption snafu
Cockup has since been patched in latest release 6 Comments
https://go.reg.cx/tdml/dfd67/60d51c7f/70bba22e/3ZNf
Gives me the shivers about ever updating....
Yeah :-( And we have a vulnerable version, 78.10.0 -- Cheers / Saludos, Carlos E. R. (from 15.2 x86_64 at Telcontar)
On 26/05/2021 12.47, Carlos E. R. wrote:
On 26/05/2021 10.25, David C. Rankin wrote:
Icarus moment: Mozilla Thunderbird was saving OpenPGP keys in plaintext after encryption snafu
Cockup has since been patched in latest release 6 Comments
https://go.reg.cx/tdml/dfd67/60d51c7f/70bba22e/3ZNf
Gives me the shivers about ever updating....
Yeah :-(
And we have a vulnerable version, 78.10.0
https://bugzilla.opensuse.org/show_bug.cgi?id=1186464 -- Cheers / Saludos, Carlos E. R. (from 15.2 x86_64 at Telcontar)
On 26/05/2021 12.53, Carlos E. R. wrote:
On 26/05/2021 12.47, Carlos E. R. wrote:
On 26/05/2021 10.25, David C. Rankin wrote:
Icarus moment: Mozilla Thunderbird was saving OpenPGP keys in plaintext after encryption snafu
Cockup has since been patched in latest release 6 Comments
https://go.reg.cx/tdml/dfd67/60d51c7f/70bba22e/3ZNf
Gives me the shivers about ever updating....
Yeah :-(
And we have a vulnerable version, 78.10.0
Duplicate of https://bugzilla.opensuse.org/show_bug.cgi?id=1186199 -- Cheers / Saludos, Carlos E. R. (from 15.2 x86_64 at Telcontar)
On 5/26/21 5:53 AM, Carlos E. R. wrote:
On 26/05/2021 12.47, Carlos E. R. wrote:
On 26/05/2021 10.25, David C. Rankin wrote:
Icarus moment: Mozilla Thunderbird was saving OpenPGP keys in plaintext after encryption snafu
Cockup has since been patched in latest release 6 Comments
https://go.reg.cx/tdml/dfd67/60d51c7f/70bba22e/3ZNf
Gives me the shivers about ever updating....
Yeah :-(
And we have a vulnerable version, 78.10.0
Curious this was marked as "Minor" security impact. That's like saying your disk encryption wasn't working making your drive readable by anyone with access -- but since that requires physical control -- it's minor. I guess with Tbird, you presumably would have to authenticate with your Linux user account before your e-mails were read. So the gist of the bug is all gpg keys you imported with the import wizard after enigmail was ditched were imported unencrypted as plain-text -- up to and including the current version of Tbird. Yikes. -- David C. Rankin, J.D.,P.E.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 El 2021-05-26 a las 13:24 -0500, David C. Rankin escribió:
On 5/26/21 5:53 AM, Carlos E. R. wrote:
On 26/05/2021 12.47, Carlos E. R. wrote:
On 26/05/2021 10.25, David C. Rankin wrote:
Icarus moment: Mozilla Thunderbird was saving OpenPGP keys in plaintext after encryption snafu
Cockup has since been patched in latest release 6 Comments
https://go.reg.cx/tdml/dfd67/60d51c7f/70bba22e/3ZNf
Gives me the shivers about ever updating....
Yeah :-(
And we have a vulnerable version, 78.10.0
Curious this was marked as "Minor" security impact. That's like saying your disk encryption wasn't working making your drive readable by anyone with access -- but since that requires physical control -- it's minor.
I guess with Tbird, you presumably would have to authenticate with your Linux user account before your e-mails were read.
Again, not a problem to someone with access. Take the disk, mount it on another computer, and just read the mail files - if not encrypted. Access while encrypted and running? Yes, also possible. There is a bug in XFCE that somehow doesn't kick the screensaver when the machine is iddle of hibernated, meaning that for example the laptop can be hibernated: steal it, start it, and you are in, no password protects the desktop. AND, after hibernation Thunderbird does not ask for the master password again, so thunderbird is up and running and fully open. Read encrypted email, write encrypted email, no password asked. perfect.
So the gist of the bug is all gpg keys you imported with the import wizard after enigmail was ditched were imported unencrypted as plain-text -- up to and including the current version of Tbird. Yikes.
Yes. Plus not asking again for the password in weeks. - -- Cheers, Carlos E. R. (from openSUSE 15.2 x86_64 at Telcontar) -----BEGIN PGP SIGNATURE----- iHoEARECADoWIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCYK6zthwccm9iaW4ubGlz dGFzQHRlbGVmb25pY2EubmV0AAoJELUzGBxtjUfV89gAnRA5RipqEeQrA4X4CXsQ KoITeutoAKCRcYjNP4gGh/TviJC7A3BhYC9w5Q== =anti -----END PGP SIGNATURE-----
On 5/26/21 3:46 PM, Carlos E. R. wrote:
On 5/26/21 5:53 AM, Carlos E. R. wrote:
On 26/05/2021 12.47, Carlos E. R. wrote:
On 26/05/2021 10.25, David C. Rankin wrote:
Icarus moment: Mozilla Thunderbird was saving OpenPGP keys in
El 2021-05-26 a las 13:24 -0500, David C. Rankin escribió: plaintext after
encryption snafu
Cockup has since been patched in latest release 6 Comments
https://go.reg.cx/tdml/dfd67/60d51c7f/70bba22e/3ZNf
Gives me the shivers about ever updating....
Yeah :-(
And we have a vulnerable version, 78.10.0
Curious this was marked as "Minor" security impact. That's like saying your disk encryption wasn't working making your drive readable by anyone with access -- but since that requires physical control -- it's minor.
I guess with Tbird, you presumably would have to authenticate with your Linux user account before your e-mails were read.
Again, not a problem to someone with access. Take the disk, mount it on another computer, and just read the mail files - if not encrypted.
Access while encrypted and running? Yes, also possible. There is a bug in XFCE that somehow doesn't kick the screensaver when the machine is iddle of hibernated, meaning that for example the laptop can be hibernated: steal it, start it, and you are in, no password protects the desktop.
Not if there is no battery in it.
AND, after hibernation Thunderbird does not ask for the master password again, so thunderbird is up and running and fully open. Read encrypted email, write encrypted email, no password asked.
perfect.
So the gist of the bug is all gpg keys you imported with the import wizard after enigmail was ditched were imported unencrypted as plain-text -- up to and including the current version of Tbird. Yikes.
Yes.
Plus not asking again for the password in weeks.
-- Cheers, Carlos E. R. (from openSUSE 15.2 x86_64 at Telcontar)
On 27/05/2021 10.12, -pj wrote:
On 5/26/21 3:46 PM, Carlos E. R. wrote:
On 5/26/21 5:53 AM, Carlos E. R. wrote:
On 26/05/2021 12.47, Carlos E. R. wrote:
On 26/05/2021 10.25, David C. Rankin wrote:
Icarus moment: Mozilla Thunderbird was saving OpenPGP keys in
El 2021-05-26 a las 13:24 -0500, David C. Rankin escribió: plaintext after
encryption snafu
Cockup has since been patched in latest release 6 Comments
https://go.reg.cx/tdml/dfd67/60d51c7f/70bba22e/3ZNf
Gives me the shivers about ever updating....
Yeah :-(
And we have a vulnerable version, 78.10.0
Curious this was marked as "Minor" security impact. That's like saying your disk encryption wasn't working making your drive readable by anyone with access -- but since that requires physical control -- it's minor.
I guess with Tbird, you presumably would have to authenticate with your Linux user account before your e-mails were read.
Again, not a problem to someone with access. Take the disk, mount it on another computer, and just read the mail files - if not encrypted.
Access while encrypted and running? Yes, also possible. There is a bug in XFCE that somehow doesn't kick the screensaver when the machine is iddle of hibernated, meaning that for example the laptop can be hibernated: steal it, start it, and you are in, no password protects the desktop. Not if there is no battery in it.
No battery needed if the machine is hibernated (to disk). I did not say "suspended", which is to RAM. When it recovers there is no password asked, because the screensaver daemon was never started. -- Cheers / Saludos, Carlos E. R. (from 15.2 x86_64 at Telcontar)
I think I may want to study more in depth in reference to KMail (It's enormous for a slow learner as myself). Not many peeps care anymore, it's mainly 'global' now anyways self centered N arrogant.. :| On 5/26/21 5:47 AM, Carlos E. R. wrote:
On 26/05/2021 10.25, David C. Rankin wrote:
Icarus moment: Mozilla Thunderbird was saving OpenPGP keys in plaintext after encryption snafu
Cockup has since been patched in latest release 6 Comments
https://go.reg.cx/tdml/dfd67/60d51c7f/70bba22e/3ZNf
Gives me the shivers about ever updating....
Yeah :-(
And we have a vulnerable version, 78.10.0
participants (3)
-
-pj -
Carlos E. R. -
David C. Rankin