From mboxrd@z Thu Jan  1 00:00:00 1970
From: Bastien <bzg@altern.org>
Subject: Re: org-crypt.el security problem (From: Milan Zamazal)
Date: Sun, 06 Mar 2011 10:59:07 +0100
Message-ID: <87aah8lgd0.fsf@altern.org>
References: <m27hce7wn3.fsf@pmade.com>
Mime-Version: 1.0
Content-Type: text/plain
Return-path: <emacs-orgmode-bounces+geo-emacs-orgmode=m.gmane.org@gnu.org>
Received: from [140.186.70.92] (port=50650 helo=eggs.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1PwAkH-0001Pf-HH
	for emacs-orgmode@gnu.org; Sun, 06 Mar 2011 04:59:26 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <bastienguerry@googlemail.com>) id 1PwAkG-0004WP-CI
	for emacs-orgmode@gnu.org; Sun, 06 Mar 2011 04:59:25 -0500
Received: from mail-wy0-f169.google.com ([74.125.82.169]:36583)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <bastienguerry@googlemail.com>) id 1PwAkG-0004Up-68
	for emacs-orgmode@gnu.org; Sun, 06 Mar 2011 04:59:24 -0500
Received: by wyi11 with SMTP id 11so3911958wyi.0
	for <emacs-orgmode@gnu.org>; Sun, 06 Mar 2011 01:59:23 -0800 (PST)
In-Reply-To: <m27hce7wn3.fsf@pmade.com> (Peter Jones's message of "Fri, 04 Mar
	2011 08:06:40 -0700")
List-Id: "General discussions about Org-mode." <emacs-orgmode.gnu.org>
List-Unsubscribe: <http://lists.gnu.org/mailman/listinfo/emacs-orgmode>,
	<mailto:emacs-orgmode-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/emacs-orgmode>
List-Post: <mailto:emacs-orgmode@gnu.org>
List-Help: <mailto:emacs-orgmode-request@gnu.org?subject=help>
List-Subscribe: <http://lists.gnu.org/mailman/listinfo/emacs-orgmode>,
	<mailto:emacs-orgmode-request@gnu.org?subject=subscribe>
Sender: emacs-orgmode-bounces+geo-emacs-orgmode=m.gmane.org@gnu.org
Errors-To: emacs-orgmode-bounces+geo-emacs-orgmode=m.gmane.org@gnu.org
To: Peter Jones <mlists@pmade.com>
Cc: emacs-orgmode@gnu.org

Hi Peter,

Peter Jones <mlists@pmade.com> writes:

> Here is an email I received from Milan Zamazal:
>
> ,----
> | I don't know whether you are aware of this, but I consider it a serious
> | security problem of org-crypt.el in (at least) Emacs 23.2:
> | 
> | I've found out that when I edit a (decrypted) crypt entry and the edited
> | file is autosaved, the autosaved file contains the given crypt entry in
> | plain text.  So unless the user has got a special arrangement of storing
> | autosave files to a secure location where they are also deleted
> | securely, the secret content may be accessed either in the autosave file
> | directly, or it may be later retrieved by an off-line attacker from the
> | deleted file content that remained stored somewhere on the disk.
> | 
> | This should be fixed or at least a big warning should be placed in
> | org-crypt.el.
> `----
>
> I don't have time to look into this.  Would someone please see if there
> is a way to prevent it.  Off the top of my head, the only thing I can
> think of is disabling autosave for any org buffer that uses org-crypt.
>
> Hopefully there's an autosave hook where you can encrypt the headings
> and save to disk using a temporary buffer without having to alter the
> current buffer and interrupt the user by encrypting a heading that is
> being edited.

Actually that would be nice, but there is no such hook.  
Only `auto-save-hook', which operates on the visited buffer.

I didn't find a satifactory way of dealing with this issue.  

For now, loading org-crypt will send a warning advising the
user to turn auto-save-mode off in org buffers containing 
crypted entries.

Thanks for bringing this up,

-- 
 Bastien