TB: Key manager in TB
Hi- I am new and - hm a bit confused : TB (102 in Linux) ist protected with a primary PW. Starting TB, without the PW I am able change properties of the the keys in TB manager, e.g. confidential ect. Something missunderstood ?
Further questions : to what extent are the keys protected against an attack, while running TB or even while not running TB? And are the keys/PW protected also in the TB backupfile (profile.zip) ?
Less important but also a question. The protected TB (Primary PW) without PW lets everybody see all emails in every folder, except the new, not downloaded/deleted ones. Is this intented ?
Thanks for help & your time - to give me a better understanding. Cheers MGO
All Replies (3)
Hello
the primary password has never been intended to block access to the application, only to the saved passwords. It seems that you need to restart Thunderbird for it to be taken in account.
This said, I don't use this feature and I tried it for you, with Thunderbird 102.4.2 (default Ubuntu install) and it works but the user experience is strange. When opening Thunderbird the password is asked, then cancelling it opens Thunderbird all right, but it's asked again several times (it seems that there is one ask for every account configured to be read when Thunderbird starts), and cancelling the dialogs is very awkward - you need to find the currently active one to cancel it, and so on. I guess that it's because the password security is a Firefox tool, not really integrated with Thunderbird - when you start Thunderbird, if it's setup to read mail, it will need passwords immediately, while that's not the case with a browser.
All the keys are in the profile, if you backup it the passwords are in it too, protected or not depending on you having set a master password.
As of the security provided by this password, I can't give you any definite knowledge, I'm no cryptographer. It uses NSS (Wikipedia it), a library that seems to be also supported by moderately serious actors outside the Mozilla foundation (RedHat, that is, IBM, for example). I think that AES-256 is used, so when the big bad wolf open its quantum jaws on us, the key will stay safe. It's not safe from the legendary xkcd decryption key, though.
Modified by gp
Starting TB, without the PW I am able change properties of the the keys in TB manager, e.g. confidential ect.
Whatever you changed, I suppose that did not affect the private key.
And are the keys/PW protected also in the TB backupfile (profile.zip) ?
Yes, they are, as long as you did set a primary password.
The protected TB (Primary PW) without PW lets everybody see all emails in every folder, except the new, not downloaded/deleted ones. Is this intented ?
Yes, because the primary password protects account passwords (and private keys), but it doesn't protect the Thunderbird profile. There are other means to achieve this. https://kb.mozillazine.org/Protect_the_profiles_contents
Help > Thunderbird Help (or Get Help) will get you to the searchable KB, which is your friend. Which would lead to https://support.mozilla.org/en-US/kb/protect-your-thunderbird-passwords-primary-password