To avoid having their OpenPGP keys exposed, Thunderbird users should update their email client to version 78.10.2 (opens in new tab) which protects against the bug. However, after the rewrite, the keys were protected using the client's automatic OpenPGP password before being copied to to the permanent storage area.Įngert and the reviewer assumed that the protection to the secret key would be preserved when copying it to the other storage area but this turned out to not be the case which led to users' OpenPGP keys being stored in plain text. Before the code rewrite, the email client would copy a key to the permanent storage area and then protect it using Thunderbird's automatic OpenPGP password. If entered correctly, the symmetric key will be unlocked and remembered for the remainder of the session, and any protected secrets can be unlocked as needed.”Įngert also explained that Thunderbird's key-handling processes had been rewritten in order to maintain their security and this is when the vulnerability was introduced. “As soon as the user has configured a master password, the first time any of the stored secrets is required by Firefox/Thunderbird, the user will be prompted to enter it. In a new report (opens in new tab) from The Register, the news outlet spoke with security software developer Kai Engert at the Mozilla Thunderbird Project who explained how master passwords are used by Firefox (opens in new tab) and Thunderbird to access stored secrets, saying: Version 78.10.2 will restore the protection mechanism for newly imported keys, and will automatically protect keys that had been imported using affected Thunderbird versions.” OpenPGP keys Thunderbird is a global, free, and open source email client that has grown significantly since its launch 10+ years ago The project is governed by its community, which means that strategic and. Then press Manual Configuration and edit the server names, ports and IMAP/POP to manually set up the the account. Thunderbird will try to determine your account settings based on the domain portion of your email address (that is, the portion after the '' symbol). The master password protection was inactive for those keys. Enter your email account details and press Continue. “OpenPGP secret keys that were imported using Thunderbird version 78.8.1 up to version 78.10.1 were stored unencrypted on the user's local disk.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |