From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0.migadu.com ([2001:41d0:403:58f0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms13.migadu.com with LMTPS id gBdVJ+E/fWYU+AAAqHPOHw:P1 (envelope-from ) for ; Thu, 27 Jun 2024 10:33:05 +0000 Received: from aspmx1.migadu.com ([2001:41d0:403:58f0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0.migadu.com with LMTPS id gBdVJ+E/fWYU+AAAqHPOHw (envelope-from ) for ; Thu, 27 Jun 2024 12:33:05 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=posteo.net header.s=2017 header.b=Sr9rpWK8; dmarc=pass (policy=none) header.from=posteo.net; spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1719484385; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=uHgKPArlGqjJyieejlDyr9fWcmLY9gHYTQQ1lED0wEY=; b=pio029e1oy2/g6z03tuLTjfJvW5VH49NhI30TbQwlggqA4xXuax/2h+/0rz4ZT9dCdo5pa JdKCTBEKGf7ImGNu0dpnMNxBJuCQYRzO2F5YbW+1g5X2eRFBe9kURkdf7owyaIhetYL/mG ZjG0nJc2+PK1LKk0DdlI9imFmXZjlsQNV5Ef3oyiFyoR2v+6GLRxFnj5/4uBW17RvTMXkX BKBsBfwDZXKlrg26LBSqRF4Mgm61f2a3PuuxWoRECHO6I6BhETIwFfo4/z/fdwuu6dAlVQ 15uJg3pmikmRv/H9prN4Zh8/ttAeHcel28oLA094wvIv6gkH6GLKZAE+8lmjog== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1719484385; a=rsa-sha256; cv=none; b=fP5Qo+WzmMeodCiiW6hkwWuNkh9oxKTpLo0gSJJwVLfyIk+GZ8A25yWcwq/7gpUM7RAVn0 tE6MfOTNfcv3zi6mK8DnbQUZLX+5cUN4Cyvw1saBUOyBw0Cbr7j9uP9Pp9XRXcgOSgrvI4 rTYQqP3wX71W2nqjVwpvcz6rsQtwwHS4gptQJ1PI6Ek0+rOdjImznOUV+LwfUfIqCEnhQ4 yWajGdQB/pHdYharBN9FVa0bMBKn447i1hX5YDOT9Wb9P5sXcjbK0N9R9DU0OfJh/4K0kt mKrbyAFfhUQWhU04klDUPpfZq6ehBQWa9Ghbifu8NDhLQjNMcr0LSfkVfKc9Cg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=posteo.net header.s=2017 header.b=Sr9rpWK8; dmarc=pass (policy=none) header.from=posteo.net; spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org" Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 72E313CE2E for ; Thu, 27 Jun 2024 12:33:05 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sMmQg-0005y5-6L; Thu, 27 Jun 2024 06:32:38 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sMmQe-0005xo-NO for emacs-orgmode@gnu.org; Thu, 27 Jun 2024 06:32:36 -0400 Received: from mout02.posteo.de ([185.67.36.66]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sMmQc-0006qk-Ft for emacs-orgmode@gnu.org; Thu, 27 Jun 2024 06:32:36 -0400 Received: from submission (posteo.de [185.67.36.169]) by mout02.posteo.de (Postfix) with ESMTPS id 60E0C240103 for ; Thu, 27 Jun 2024 12:32:31 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.net; s=2017; t=1719484351; bh=yPaBMy7rsotgH4wDO85hBa7xAket01QDRCvpex6IDw0=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:Content-Type: Content-Transfer-Encoding:From; b=Sr9rpWK8b/GrPUsyNIiM6bqvsqvfDVdkTgpgLRTfLO0GE10amn+LoLaVwEyACmZjw s3FXYL+hYYpMYGpi4LaXSQgFkw+VHXinrBJwfhcRONRw6isChhrrTSgUXYATtOPLSZ HaooEO/DDNxuVKS2Hb1EAfR5ZMdtlmVSgFmEd6ZJbtUhd32y2icaZ8vfvQD8aQyJnI WN6rc+PEEMyF/aw+SGX+NrNNK9i2gp7mbSqnXlqXQjaS1k1NVS6eARzu/wc3fD/i9R QxjnhCL6okf+fA51E1PyrAG4qd3stSCYVeN7dCWHERuuILF02Alfhk7na54Ffavm/e RLrULaqIrIl5Q== Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4W8vyk6fk1z9rxB; Thu, 27 Jun 2024 12:32:30 +0200 (CEST) From: Ihor Radchenko To: Daniel Clemente Cc: Eli Zaretskii , emacs-orgmode@gnu.org Subject: Re: org-crypt leaking data when encryption password is not entered twice (was: Please document the caching and its user options) In-Reply-To: References: <86ed921oxu.fsf@gnu.org> <874j9vllbp.fsf@localhost> <87o781t676.fsf@localhost> <874j9qs0wh.fsf@localhost> <87ed8mtyp0.fsf@localhost> <87msn7kffy.fsf@localhost> Date: Thu, 27 Jun 2024 10:34:09 +0000 Message-ID: <87le2qy8ri.fsf@localhost> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=185.67.36.66; envelope-from=yantar92@posteo.net; helo=mout02.posteo.de X-Spam_score_int: -43 X-Spam_score: -4.4 X-Spam_bar: ---- X-Spam_report: (-4.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-orgmode@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org Sender: emacs-orgmode-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Spam-Score: -6.59 X-Spam-Score: -6.59 X-Migadu-Queue-Id: 72E313CE2E X-Migadu-Scanner: mx11.migadu.com X-TUID: ObcNAsP8pLkl Daniel Clemente writes: >> One simple idea is to disable backups if encryption fails. >> Or use `write-contents-functions' instead of `before-save-hook' - that >> way, Emacs will not ignore errors thrown by org-crypt and will not >> actually save anything if encryption fails. >> > > Disabling backups makes sense too, if we decide that unencrypted > private data shouldn't end up in backups. > I don't have an absolute opinion. Some people may prefer having > backups of all data (including private unencrypted data). Actually, thinking about it more, I realize that backups may never contain unencrypted data as long as we never write this unencrypted data when saving normally. That's because backup is always taken from disk and never from the buffer contents. So, the real problem to solve is how to _reliably_ prevent the unencrypted data to be saved onto the disk. > If it's possible to detect whether encryption failed in this buffer, > there could be a warning saying =E2=80=9ELast encryption failed. Really > save?=E2=80=9C. Yes. In fact, `org-entrypt-entries' throws an error when encryption fails. However, this error is displayed as a simple message, which is immediately hidden by "Wrote ..." message emitted a bit later. This is because `basic-save-buffer' has ;; Don't let errors prevent saving the buffer. (with-demoted-errors "Before-save hook error: %S" (run-hooks 'before-save-hook)) If we use `write-contents-functions' instead of `before-save-hook', there should be no such problem. > Or just a message in the style of =E2=80=9EEncryption failed. Saving the = file > may store unencrypted data in disk, and in backups and cache if > enabled=E2=80=9C. > > Totally preventing the user from saving a file seems harsh but it also > seems safer. Since users have different safety preferences, Emacs can > let the user decide what the do, through a question or optional > setting. I agree that "saving prevention" must be a user option. >> These things should be considered bugs. And we should fix them. Cache and >> other libraries should not be responsible for special treatment of >> optional org-crypt library. >> > > You can't fix all bugs all the time, so you can't base security on =E2=80= =9Ewe > strongly believe there are no more bugs=E2=80=9C. I did not suggest that. What I am saying is that "we might have bugs, so be careful" is not something we need to write in the documentation. The only exception is when there is a known, long-living bug, that we cannot fix quickly and must warn users about. > ... If doing an extra > verification (to avoid storing private data on disk in unencrypted > form) is fast, it's better with the verification. >> Cache and other libraries should not be responsible for special >> treatment of optional org-crypt library. > > That's arbitrary. Both persistent cache and org-crypt are optional, > but any of them can check whether the other is enabled and try to do > what the user wants. > I know they both have separate responsibilities, but if there are only > these 2 parts, one of them must be the one caring about =E2=80=9Eunencryp= ted > data leaking into disk caches=E2=80=9C. Sure. But I meant that we should still write this code in org-crypt library, not inside org-persist. This is more of a technical detail and code style. > In addition, =E2=80=9Eleaving some encrypted sections unencrypted for a s= hort > amount of time, and closing and reopening the buffer during that time=E2= =80=9C > isn't a bug, it's a possible user behaviour that we can't control. But > org-crypt can mention that that behaviour is unsafe when using on-disk > cache. Or detect it (if it's fast) and warn the user. I did not mean that opening/closing buffer is a bug. And I do not see why this behavior is unsafe, sorry. > It would be different If we had a third component=E2=80=A6 E.g. imagine w= e had > a component/overlay/text property/=E2=80=A6 in Emacs that could tell whet= her a > buffer's region contains very private information or not; then all > other components could just obey that setting (that section won't be > backed up, it won't end up in disk cache, =E2=80=A6 It can even be displa= yed > in a different face). Then org-crypt just needs to set that flag when > encryption fails. Does something like that exist? Anyway this is a bit > utopic or overengineered. Simpler ways of improving things are with > documentation (e.g. =E2=80=9EDon't do this, it's unsafe=E2=80=9C), with m= essages > (=E2=80=9EYou're doing this, which may be unsafe=E2=80=9C), or with quest= ions (=E2=80=9EReally > do this unsafe thing?=E2=80=9C) Sounds interesting, but I am afraid that this idea is too abstract. It is not clear what Emacs is supposed to do with such regions. Maybe Eli has something better to say. --=20 Ihor Radchenko // yantar92, Org mode contributor, Learn more about Org mode at . Support Org development at , or support my work at