TechEcho

Am I reading correctly that ~“GPG private keys were stored unencrypted” and ~“messages could be modified to include non-encrypted chunks, which the client displayed without indicating the distinction” both count as low-severity?

This reminds me of the fact that Firefox, by default, allows anyone to view stored credentials – no authentication required, as no master password is set. It boggles my mind.

Well it's not ideal, but it assumes the computer it is stored on is securely protected, so Thunderbird would not be the weakest link here.<p>Protecting this key would require to ask a password to the user.<p>By default there are none, but users who use gpg are aware of security and would generally set a master password.

Would this only affect keys that don't have an associated passphrase that's used to decrypt them?

I'm a novice at security, but shouldn't the correct fix be to force the user to revoke the keys?

This reminds me of the fact that Firefox, by default, allows anyone to view stored credentials – no authentication required, as no master password is set. It boggles my mind.

Would this only affect keys that don't have an associated passphrase that's used to decrypt them?

I'm a novice at security, but shouldn't the correct fix be to force the user to revoke the keys?

Thunderbird stored OpenPGP secret keys without master password protection

5 comments

Thunderbird stored OpenPGP secret keys without master password protection

5 comments