back to article Icarus moment: Mozilla Thunderbird was saving OpenPGP keys in plaintext after encryption snafu

Mozilla Thunderbird spent the last couple of months saving some users’ OpenPGP keys in plain text – but that’s now been patched, the author of both the bug and the patch fixing it has told The Register. The vulnerability, assessed as “low” impact by Mozilla, existed in the free open source Thunderbird email client between …

  1. Anonymous Coward
    Anonymous Coward

    Assumption is the mother of...

    ... valuable lessons. It's good that this has been found and fixed so quickly but the lesson is that just because you are using security it don't mean that you are perfectly secure. Maybe you are, but maybe you're not.

  2. Bitsminer Bronze badge

    testing is the mother of...

    1. Load footgun.

    2. Fire.

    3. Aim.

    4. Sign off on test procedure completion.

    1. Blofeld's Cat Silver badge

      Re: testing is the mother of...

      5. Repeat steps 1 to 4

      6. Collect ISO 9001 certificate

  3. Pascal Monett Silver badge

    Encryption is very difficult to get right

    And it is hard to know how to test that you've got it right.

    Kudos to Kai Engert for having corrected the problem and getting it right.

    1. MJB7

      Re: Encryption is very difficult to get right

      This.

      It's easy enough (after the event) to see how to write a test to catch this particular mistake. (Search for the plain text of the input in the output - it shouldn't be there.) But that won't catch the mistake where the input is XORed with a fixed value, rather than a keystream derived from the password ...

      It's REALLY hard to test that crypto code is secure.

    2. Mark 65 Silver badge

      Re: Encryption is very difficult to get right

      As always though it proves that testing changes is better than making assumptions in a code review. Testing is what seems to be lacking.

  4. Anonymous Coward
    Anonymous Coward

    Perhaps 3 years ago I installed T'bird, set it up with "Never Save Passwords", and found it was saving my passwords anyway. I uninstalled it.

  5. HildyJ Silver badge
    Paris Hilton

    Follow up?

    As I read the article, Engert fixed the Thunderbird bug by reordering the sequence of steps BUT

    "Engert told us [there] was an error in the RNP software library"

    Has this been fixed in the RNP library? Any comments from their maintainers? Or am I reading it wrong?

    1. kaie

      Re: Follow up?

      https://www.rnpgp.org/advisories/ri-2021-001/

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021