On Fri, 1 Dec 2023, [email protected] wrote:
I will say one thing about the method Carlos posted to
remove the password file. I was aware of this, and I have
seen posts like this in the past. Alpine has the ability
to remove this password too, and I have posted in the past
how to do this. This means, there are two ways to remove
the password from the encryption key, and I will modify
Alpine to force everyone to have a password in the
encryption key.
Can I ask what the specific threat model is that this step
is meant to combat?
If I understand correctly, the threat is that a rogue
web script can upload the password file and decrypt it at
leisure.
An attacker with local root doesn't need to care about any
disk encryption; he can read your decrypted master key and
the plaintext of your IMAP passwords directly from memory.
And of course a local attacker who doesn't have root can be
guarded against simply with filesystem permissions.
For a remote attacker that has gained shell-level access to
the user account, uploading a file is easier than finding
the password in the memory of a running process
- and that only works if alpine is currently running.
--
Andrew C. Aitchison Kendal, UK
[email protected]
_______________________________________________
Alpine-info mailing list
[email protected]
http://mailman12.u.washington.edu/mailman/listinfo/alpine-info
