9

I have a query regarding best practice of using PGP to sign emails with Thunderbird 78.

Thunderbird 78 took an existing system by Enigmail and brought it "in-house" to be built into the email client program. This results in some notable changes which -to me- are concerning and I wanted to double check if my concerns are valid;

  • The Thunderbird 78 model takes the Private Keys and re-encrypts copies of them internally with a random passphrase, which is apparently changed regularly. Bugzilla Reference

This is meant to make the keys safe, but because it's all automated this flags two concerns from me:

  1. The entire code/keys/passwords/passphrase required to decrypt/extract and/or brute force the key values are already statically stored on the disc (or possibly online).

  2. There is no mechanism for any form of authentication that any user of the email client is any one who should have access to the PGP keys.

And part two:

  • Thunderbird by default offers no security authentication method (password) to accessing the program or all mailboxes (and encrypted emails) within, including PGP emails. There is an option to set a "Master Password", which is documented to be required to load PGP Keys but this also has bugs in that this doesn't trigger on the first load of the email client as well as in some other situations.

I have found that due to these bugs the PGP encrypted mails are by default decrypted by Thunderbird so can be viewed by any user without needing to enter any Master Password.

Also there is some concern from others about how accessible passwords are on the disc device (even with a Master Password).

  1. My concern here is again that the Master Password will likely be of a lower entropy than the passphrase associated with the GnuPG source key(s).

(to be honest concern number 3 is probably more my fear but this whole scenario really doesn't feel very secure on two factors: security, and more importantly Authentication)

Are my concerns valid or am I confused?

Bruno Rohée
  • 5,221
  • 28
  • 39
Martin
  • 1,057
  • 1
  • 11
  • 18
  • 3
    I have the same concerns and have expressed that to the new Thunderbird 78 developers. In my opinion **PGP Private Pass Phrases should never be written to disk!** Enigmail requires a manual secret key entry per session per key and holds it only in memory, never written to disk. TB-78 writes all of the private key to disk protecting them only with the master password if used, otherwise unprotected entirely. The TB-78 developers are pursuing ease of use vs secure storage. I disagree and have rolled back to TB-68. *Interlink* appears to be a TB work-alike that uses Enigmail. – user10216038 Dec 02 '20 at 18:41

0 Answers0