From mboxrd@z Thu Jan 1 00:00:00 1970 From: Bastien Subject: Re: org-crypt.el security problem (From: Milan Zamazal) Date: Sun, 06 Mar 2011 10:59:07 +0100 Message-ID: <87aah8lgd0.fsf@altern.org> References: Mime-Version: 1.0 Content-Type: text/plain Return-path: Received: from [140.186.70.92] (port=50650 helo=eggs.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1PwAkH-0001Pf-HH for emacs-orgmode@gnu.org; Sun, 06 Mar 2011 04:59:26 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1PwAkG-0004WP-CI for emacs-orgmode@gnu.org; Sun, 06 Mar 2011 04:59:25 -0500 Received: from mail-wy0-f169.google.com ([74.125.82.169]:36583) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1PwAkG-0004Up-68 for emacs-orgmode@gnu.org; Sun, 06 Mar 2011 04:59:24 -0500 Received: by wyi11 with SMTP id 11so3911958wyi.0 for ; Sun, 06 Mar 2011 01:59:23 -0800 (PST) In-Reply-To: (Peter Jones's message of "Fri, 04 Mar 2011 08:06:40 -0700") List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: emacs-orgmode-bounces+geo-emacs-orgmode=m.gmane.org@gnu.org Errors-To: emacs-orgmode-bounces+geo-emacs-orgmode=m.gmane.org@gnu.org To: Peter Jones Cc: emacs-orgmode@gnu.org Hi Peter, Peter Jones writes: > Here is an email I received from Milan Zamazal: > > ,---- > | I don't know whether you are aware of this, but I consider it a serious > | security problem of org-crypt.el in (at least) Emacs 23.2: > | > | I've found out that when I edit a (decrypted) crypt entry and the edited > | file is autosaved, the autosaved file contains the given crypt entry in > | plain text. So unless the user has got a special arrangement of storing > | autosave files to a secure location where they are also deleted > | securely, the secret content may be accessed either in the autosave file > | directly, or it may be later retrieved by an off-line attacker from the > | deleted file content that remained stored somewhere on the disk. > | > | This should be fixed or at least a big warning should be placed in > | org-crypt.el. > `---- > > I don't have time to look into this. Would someone please see if there > is a way to prevent it. Off the top of my head, the only thing I can > think of is disabling autosave for any org buffer that uses org-crypt. > > Hopefully there's an autosave hook where you can encrypt the headings > and save to disk using a temporary buffer without having to alter the > current buffer and interrupt the user by encrypting a heading that is > being edited. Actually that would be nice, but there is no such hook. Only `auto-save-hook', which operates on the visited buffer. I didn't find a satifactory way of dealing with this issue. For now, loading org-crypt will send a warning advising the user to turn auto-save-mode off in org buffers containing crypted entries. Thanks for bringing this up, -- Bastien