From: Daniel Clemente <n142857@gmail.com>
To: Ihor Radchenko <yantar92@posteo.net>
Cc: Eli Zaretskii <eliz@gnu.org>, emacs-orgmode@gnu.org
Subject: Re: org-crypt leaking data when encryption password is not entered twice (was: Please document the caching and its user options)
Date: Thu, 27 Jun 2024 08:55:33 +0000 [thread overview]
Message-ID: <CAJKAhPCvqODa4PdqWztBmzL86MNaJ=az=F_x=6bFNh=wQx+k2A@mail.gmail.com> (raw)
In-Reply-To: <87msn7kffy.fsf@localhost>
>
> As for not typing the same password twice and not using
> org-crypt-use-before-save-magic, we should somehow fix this.
> (I am starting a new thread branch.)
>
„Not using org-crypt-use-before-save-magic“ is currently a user
decision, not a bug.
For instance, I don't use it because it adds around 5 seconds to each
saving of a large file. If it were instantaneous I would enable it.
With it disabled, this explains why I often find unencrypted sections
at the end of the day… I have to rely on myself to reencrypt them
again.
> One simple idea is to disable backups if encryption fails.
> Or use `write-contents-functions' instead of `before-save-hook' - that
> way, Emacs will not ignore errors thrown by org-crypt and will not
> actually save anything if encryption fails.
>
Disabling backups makes sense too, if we decide that unencrypted
private data shouldn't end up in backups.
I don't have an absolute opinion. Some people may prefer having
backups of all data (including private unencrypted data).
If it's possible to detect whether encryption failed in this buffer,
there could be a warning saying „Last encryption failed. Really
save?“.
Or just a message in the style of „Encryption failed. Saving the file
may store unencrypted data in disk, and in backups and cache if
enabled“.
Totally preventing the user from saving a file seems harsh but it also
seems safer. Since users have different safety preferences, Emacs can
let the user decide what the do, through a question or optional
setting.
> > At the end of the day when I do "git diff" + "git commit" sometimes I
> > realize there's unencrypted data and then I have to reencrypt it. In
> > the meantime I might have killed and reopened the buffer, thus
> > updating the file cache.
> > That may be a problem by org-encrypt and something to document in
> > org-crypt itself. The point is that users of org-encrypt should take
> > extra precautions when enabling org-element-cache-persistent. Like:
> > not closing buffers while the sections are unencrypted.
>
> These things should be considered bugs. And we should fix them. Cache and
> other libraries should not be responsible for special treatment of
> optional org-crypt library.
>
You can't fix all bugs all the time, so you can't base security on „we
strongly believe there are no more bugs“. If doing an extra
verification (to avoid storing private data on disk in unencrypted
form) is fast, it's better with the verification.
In addition, „leaving some encrypted sections unencrypted for a short
amount of time, and closing and reopening the buffer during that time“
isn't a bug, it's a possible user behaviour that we can't control. But
org-crypt can mention that that behaviour is unsafe when using on-disk
cache. Or detect it (if it's fast) and warn the user.
> Cache and
> other libraries should not be responsible for special treatment of
> optional org-crypt library.
That's arbitrary. Both persistent cache and org-crypt are optional,
but any of them can check whether the other is enabled and try to do
what the user wants.
I know they both have separate responsibilities, but if there are only
these 2 parts, one of them must be the one caring about „unencrypted
data leaking into disk caches“.
It would be different If we had a third component… E.g. imagine we had
a component/overlay/text property/… in Emacs that could tell whether a
buffer's region contains very private information or not; then all
other components could just obey that setting (that section won't be
backed up, it won't end up in disk cache, … It can even be displayed
in a different face). Then org-crypt just needs to set that flag when
encryption fails. Does something like that exist? Anyway this is a bit
utopic or overengineered. Simpler ways of improving things are with
documentation (e.g. „Don't do this, it's unsafe“), with messages
(„You're doing this, which may be unsafe“), or with questions („Really
do this unsafe thing?“)
next prev parent reply other threads:[~2024-06-27 8:57 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-12 9:38 Please document the caching and its user options Eli Zaretskii
2024-06-14 13:12 ` Ihor Radchenko
2024-06-14 13:41 ` Eli Zaretskii
2024-06-14 15:31 ` Ihor Radchenko
2024-06-14 15:56 ` Eli Zaretskii
2024-06-15 12:47 ` Ihor Radchenko
2024-06-15 13:01 ` Eli Zaretskii
2024-06-15 14:13 ` Ihor Radchenko
2024-06-15 14:37 ` Eli Zaretskii
2024-06-16 9:05 ` Ihor Radchenko
2024-06-16 10:41 ` Eli Zaretskii
2024-06-23 9:12 ` Björn Bidar
2024-06-15 13:47 ` Ihor Radchenko
2024-06-14 13:56 ` Jens Lechtenboerger
2024-06-14 14:31 ` Publishing cache (was: Please document the caching and its user options) Ihor Radchenko
2024-06-16 5:40 ` Please document the caching and its user options Daniel Clemente
2024-06-16 12:36 ` Ihor Radchenko
2024-06-17 12:41 ` Daniel Clemente
2024-06-18 15:53 ` Ihor Radchenko
2024-06-18 16:15 ` Eli Zaretskii
2024-06-18 16:25 ` Ihor Radchenko
2024-06-18 16:33 ` Eli Zaretskii
2024-06-18 16:55 ` Ihor Radchenko
2024-06-19 9:27 ` Colin Baxter
2024-06-19 10:35 ` Ihor Radchenko
2024-06-19 13:04 ` Eli Zaretskii
2024-06-19 13:30 ` Ihor Radchenko
2024-06-19 16:07 ` Colin Baxter
2024-06-19 16:15 ` Ihor Radchenko
2024-06-18 22:06 ` Rudolf Adamkovič
2024-06-19 4:29 ` tomas
2024-06-23 11:45 ` Daniel Clemente
2024-06-24 10:36 ` Ihor Radchenko
2024-06-26 12:59 ` Daniel Clemente
2024-06-26 13:21 ` org-crypt leaking data when encryption password is not entered twice (was: Please document the caching and its user options) Ihor Radchenko
2024-06-27 8:55 ` Daniel Clemente [this message]
2024-06-27 10:15 ` org-encrypt-entries is slow (was: org-crypt leaking data when encryption password is not entered twice (was: Please document the caching and its user options)) Ihor Radchenko
2024-06-27 10:34 ` org-crypt leaking data when encryption password is not entered twice (was: Please document the caching and its user options) Ihor Radchenko
2024-06-27 9:27 ` Please document the caching and its user options Eli Zaretskii
2024-06-27 10:11 ` Ihor Radchenko
2024-06-27 10:30 ` Eli Zaretskii
2024-06-28 12:54 ` Rudolf Adamkovič
2024-06-28 15:31 ` Ihor Radchenko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.orgmode.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAJKAhPCvqODa4PdqWztBmzL86MNaJ=az=F_x=6bFNh=wQx+k2A@mail.gmail.com' \
--to=n142857@gmail.com \
--cc=eliz@gnu.org \
--cc=emacs-orgmode@gnu.org \
--cc=yantar92@posteo.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).