[Alpine-info] Seeking someone who..?
jason-alpine-info at shalott.net
jason-alpine-info at shalott.net
Fri Dec 1 12:43:59 PST 2023
> I will say one thing about the method Carlos posted to remove the
> password file. I was aware of this, and I have seen posts like this in
> the past. Alpine has the ability to remove this password too, and I have
> posted in the past how to do this. This means, there are two ways to
> remove the password from the encryption key, and I will modify Alpine to
> force everyone to have a password in the encryption key.
Can I ask what the specific threat model is that this step is meant to
combat?
An attacker with local root doesn't need to care about any disk
encryption; he can read your decrypted master key and the plaintext of
your IMAP passwords directly from memory. And of course a local attacker
who doesn't have root can be guarded against simply with filesystem
permissions.
So I think that the only attack that disk encryption defends against is
the one where an attacker has physical access to your disk while the host
is off. (Which is perhaps a realistic attack against someone travelling
with a laptop, but is probably not an especially high risk for most home
users working at their desktops?) But in that case, the attacker also has
access to the plaintext of the Alpine binary and config files, and so
could trivially re-derive Alpine's internally-generated key.
So I'm not clear what specific attacks such a measure would be meant to
combat.
More importantly, security-conscious users are probably already using
full-disk encryption (especially for laptops). And in that case, forcing
an extra layer of per-application crypto on to them doesn't seem like it
serves much purpose.
I think that it makes a ton of sense to have Alpine default to using its
own strong crypto. But it should also be possible for sophisticated,
security-conscious users to make their own decisions in this regard. I
don't think it's a good idea for software to get into a combative
relationship with its users...
I do agree that sometimes it is justified to force security measures on
users in cases where it substantially improves the security stance of the
internet at large. But I don't think that the current issue is one of
those cases.
Thanks.
-Jason
More information about the Alpine-info
mailing list