[pass] [PATCH] Firefox addon

guns self at sungpae.com
Mon Oct 14 05:04:12 CEST 2013

On Sun 13 Oct 2013 at 04:58:25PM +0200, Johan Venant wrote:

> Ok, so regarding your answer, I assume you think that my patch is not
> a good idea. I perfectly understand that.
> By the way, I can remove the passphrase dialogbox feature from the
> firefox plugin if it's not a good idea.

Passing a secret via argv or the environment is unadvisable because it
can easily be acquired by other users on the system through ps(1) and
other means.

In contrast, while gpg-agent is a feature that trades security for
convenience, its socket is at least scoped to the current user only.

In addition, GnuPG's pinentry programs aim to be as secure as possible¹,
so I don't mind giving my password to gpg/gpg-agent via its dialogs. I
don't necessarily _distrust_ your plugin's password dialog, but being
cavalier about typing one's password is a good way to get compromised.

> If you use gpg-agent in the same user session than your firefox
> (should probably be the case), you will still be able to add your
> passphrase to gpg-agent from your command line. the plugin will
> then have access to your data through gpg-agent without asking your
> passphrase. Much less user friendly, but still efficient. Doesn't it ?

I may be missing something, but if your plugin knows GPG_AGENT_INFO and
can exec `gpg2`, then GnuPG's pinentry->gpg-agent mechanism should just
work as expected. Ensuring that Firefox inherits GPG_AGENT_INFO is the
responsibility of the user/OS, not the client.


¹ Which ranges from pretty secure all the way down to "I promise not to
  snoop" if you use X
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20131013/ef0f8633/attachment.asc>

More information about the Password-Store mailing list