[pass] [PATCH] Firefox addon

Johan Venant jvenant at invicem.pro
Mon Oct 14 19:16:21 CEST 2013 

On Mon, Oct 14, 2013 at 5:04 AM, guns <self at sungpae.com> wrote:

> On Sun 13 Oct 2013 at 04:58:25PM +0200, Johan Venant wrote:
>
> Passing a secret via argv or the environment is unadvisable because it
> can easily be acquired by other users on the system through ps(1) and
> other means.
>
> In contrast, while gpg-agent is a feature that trades security for
> convenience, its socket is at least scoped to the current user only.
>
> In addition, GnuPG's pinentry programs aim to be as secure as possible¹,
> so I don't mind giving my password to gpg/gpg-agent via its dialogs. I
> don't necessarily _distrust_ your plugin's password dialog, but being
> cavalier about typing one's password is a good way to get compromised.
>

Using a tiers program is always a risk.
As you said, even using gpg-agent is a risk. It could give an easy access
to your encrypted data
to any king of programs. Security vs convenience, it's always a choice to
do.
But I clearly understand your point.




I may be missing something, but if your plugin knows GPG_AGENT_INFO and
> can exec `gpg2`, then GnuPG's pinentry->gpg-agent mechanism should just
> work as expected. Ensuring that Firefox inherits GPG_AGENT_INFO is the
> responsibility of the user/OS, not the client.
>

Accessing  GPG_AGENT_INFO isn't a problem. The problem comes from the
inability
for gpg-agent to open the pinentry dialog box from inside firefox.
That's what I understand from the error message : "Error opening terminal:
unknown."
1- gpg Try to get the data.
2- ask the passphrase to gpg-agent
3- gpg-agent don't have it and try to open a gtk/qt dialog box to ask it to
the user.
4- for some reason (X environment, firefox restrictions, permissions,...)
gpg-agent
can't open the dialog box
5- it fallback to the ncurse (terminal) version who doesn't work much more.
Any way, as you said, it's not a pass manager issue. It was just to say.

I will first try to release a version without passphrase management.
In a second step, if the addon is useful (and used by other people than
just me ^_^),
I will try to deal with the gpg-agent dialog box and the passphrase
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20131014/1d33af94/attachment.html>

More information about the Password-Store mailing list