Date: Thu, 19 Nov 2020 14:01:36 +0300 From: Lev Serebryakov <lev@FreeBSD.org> To: freebsd-hackers@freebsd.org Subject: Re: How is Thunderbird signing my emails? Message-ID: <3e4179d0-f6c4-66a5-9628-b2ee95071858@FreeBSD.org> In-Reply-To: <9e617638-0bd9-52cd-c361-8d73633d9bab@m5p.com> References: <9e617638-0bd9-52cd-c361-8d73633d9bab@m5p.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 19.11.2020 5:52, George Mitchell wrote: > The Thunderbird people have integrated the functionality of Enigmail > into Thunderbird itself. In the abstract, this sounds like a great > idea, because I believe that the more people use PGP signatures and > encryption, the better. But the concrete reality of the implementation > puzzles me in a couple of respects: Concrete reality of the implementation is awful. It is not replacement for Enigmail :-( > > a. It's now inclined to attach my public key to every message I send, > unless I tell it it not to do that on a message-by-message basis (under > the "Security" menu in the message composition dialog). I can't find > where I can globally disable this. See https://bugzilla.mozilla.org/show_bug.cgi?id=1654950 - new releases will have hidden setting for it. > b. More alarmingly, when it appends my PGP signature to my outgoing > messages, it is able to unlock my private key without asking for the > passphrase. How is it doing this?? New Thunderbird doesn't use GPG keyring, it imports all keys into its own database (also it doesn't use Web Of Trust!). Private keys are protected only by global profile password (did you have this one set? I'm in doubt, it is rarely-used feature). So, if you account is without global password, you imported private keys are not protected at all. Good luck with that :-( -- // Lev Serebryakov
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3e4179d0-f6c4-66a5-9628-b2ee95071858>