From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0.migadu.com ([2001:41d0:303:e16b::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms13.migadu.com with LMTPS id wGFXImApfWa8TAAAqHPOHw:P1 (envelope-from ) for ; Thu, 27 Jun 2024 08:57:04 +0000 Received: from aspmx1.migadu.com ([2001:41d0:303:e16b::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0.migadu.com with LMTPS id wGFXImApfWa8TAAAqHPOHw (envelope-from ) for ; Thu, 27 Jun 2024 10:57:04 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=CkdmfuIG; spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1719478624; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=1+Adg/iubWqWt0BfA28CDL7GcGk3tZ7aBEhZNGm/nVo=; b=aJx8OPoI78Q4GwPfrwZWLamKVvdF4ea5BeFf+gOIULPsmJJ5Rxp5ZwFHYlI9kbyua5xwWY h4pHaOVMJhQz7UCOHGAK1Wuy8b/+QwJvFrzfcw+sDOevk6CQsb1YBFAv/LZ1NVxZo8QCke 3uxyuFyYP3TsBuyxRbeg94ckQck/NU+Gzs4tdCVeED58HOZnMQgKoLY08IKKRbH7co1zri wzETExMXQ2ZyStEIc/tmyjCAjEkTaCmPOmzRpMo+ptzy+P8yUpUhtS2OMAy2Ghg9LTeozM x2N3PqOvfiaEsqmRYnh3+uo20vDAEqtPQveatOfe2dIqkw11ETozFzr93n0TVg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=CkdmfuIG; spf=pass (aspmx1.migadu.com: domain of "emacs-orgmode-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="emacs-orgmode-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gmail.com ARC-Seal: i=1; s=key1; d=yhetil.org; t=1719478624; a=rsa-sha256; cv=none; b=MlGwuDhpI0TsojDtz5VK873rxogEvlg9gnsw++a5wq4zT5RzbSZ3+Ass0f684zblBuYcIg Dudde3RlqMEYjQCDzwkaIi9VD1iVmu+zZ1UjPUlDS9E+sXj+3Sq1SG7npt/u+CyIGS89Ap P6YmHeuULqoGYND522m7QCXbLFbxCEwtqtVPi6vPSffq15Zku3PO8RYCEf4GsoIsVjxXkb cMYpaU1RTQhJYBUrRfiSx/sYGmQ+z8yzjwOfOCgwp4px16gJTtU1iV4lHWNZSB1zaUvycZ wrSF3kfwyCtCoIE7DQa/DIxzbqrjtuORz/nbjlqtF0WtSlQ/x6jDtd4L9PEk4w== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 3B5763C199 for ; Thu, 27 Jun 2024 10:57:04 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sMkvM-0007mw-W2; Thu, 27 Jun 2024 04:56:13 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sMkvJ-0007ZS-6u for emacs-orgmode@gnu.org; Thu, 27 Jun 2024 04:56:11 -0400 Received: from mail-vs1-xe2f.google.com ([2607:f8b0:4864:20::e2f]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1sMkvE-0007pM-5R; Thu, 27 Jun 2024 04:56:08 -0400 Received: by mail-vs1-xe2f.google.com with SMTP id ada2fe7eead31-48f3e704576so2035321137.0; Thu, 27 Jun 2024 01:56:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1719478561; x=1720083361; darn=gnu.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=1+Adg/iubWqWt0BfA28CDL7GcGk3tZ7aBEhZNGm/nVo=; b=CkdmfuIG2mwIs2qiLSwQ2PYoAF/cl/8Oow5x7+Xy8cM1IpGTNkD2M9YYUStrAeBWbb z5z1i3IVYMevw0AtQd2VOvucnzxRrHEr8OypCLn1mfKtLIYkhBV44ch3i2r/LZ01npf/ KlSOsiS1l9qK3ny2BCsweGakLf9+zlHyUbUT7GiiVA47ah/fg4I+lVNqCYdG27O2VmE2 aN146M8eBbqw1xa91nIikjBlLaIEOuBLj5LdtYxMmsHk2wIh7QrU8n8ZCZBVoD5LUCcB WPt4DXPLOMKec4KY6V0pas8VPy4IlTESPFMq54yrvMgbY0F83+WSydZ24tY7OcchtM4u qzdQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719478561; x=1720083361; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=1+Adg/iubWqWt0BfA28CDL7GcGk3tZ7aBEhZNGm/nVo=; b=BZjtHCH0jLNGl8V9tTf+FxJsyrojd4cZXc6xHQHKGovtDf5RtrJuo1o+rPuujNbiKd wamJOwNCyv60fIUp4YObIFQG679PKtkd23qBYJVC83h5PsQm18gLniLpAJ+EfI46YF5J 38EMOe8jKX2flBitY3ybvXDBKAiXjAQLLUanNqdim6kHN0CO47SARkGXcAcfTsaSuMgG yrwN7crNweXtQhsPv2ITcAmSzHwiYdUsLlTwGjpfmC2la0Hg7t83Ra/ixcgdm4k1zK1j nLHQjyLdgKgGm0qj61st1NcucaoeHsmmu0/iA/Z5mzXQr6GhYv+AQBVMi+gMjkRCge6p LlZA== X-Forwarded-Encrypted: i=1; AJvYcCXcm6KWSr6m9uD1lBIpYNp0/ajI+EG84s+7SwmNDxstYcvbBNrheauoDUVszuQMeMnz+qjnkHI6di4hmRZYanvz9TSpNrc= X-Gm-Message-State: AOJu0YwiRKjvzBEGfp/lmF7WIP471IcBKVbcQJF4dnSFPSuEVpuuqdPY yXfMKYKhr1eLPc9yFgkRdwxQoL1T5ux7LI0+Y2NSsk3xYoRwdpPTfi9DIsOcAkGLyDi5qYAFTHr MYUshRs9nReCxqDk3osHilOIHJ0Q= X-Google-Smtp-Source: AGHT+IGQjfeghhRKI7RZqYlURdo75HQcT9+NLXlE+ayey3t1WyFYb46yeos6owwRgSJrlKipYrNnvuDvN8kXsbCaOug= X-Received: by 2002:a67:cf0b:0:b0:48f:2afe:88f1 with SMTP id ada2fe7eead31-48f52ac2a06mr13802510137.16.1719478561254; Thu, 27 Jun 2024 01:56:01 -0700 (PDT) MIME-Version: 1.0 References: <86ed921oxu.fsf@gnu.org> <874j9vllbp.fsf@localhost> <87o781t676.fsf@localhost> <874j9qs0wh.fsf@localhost> <87ed8mtyp0.fsf@localhost> <87msn7kffy.fsf@localhost> In-Reply-To: <87msn7kffy.fsf@localhost> From: Daniel Clemente Date: Thu, 27 Jun 2024 08:55:33 +0000 Message-ID: Subject: Re: org-crypt leaking data when encryption password is not entered twice (was: Please document the caching and its user options) To: Ihor Radchenko Cc: Eli Zaretskii , emacs-orgmode@gnu.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=2607:f8b0:4864:20::e2f; envelope-from=n142857@gmail.com; helo=mail-vs1-xe2f.google.com X-Spam_score_int: -17 X-Spam_score: -1.8 X-Spam_bar: - X-Spam_report: (-1.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-orgmode@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "General discussions about Org-mode." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-orgmode-bounces+larch=yhetil.org@gnu.org Sender: emacs-orgmode-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Migadu-Queue-Id: 3B5763C199 X-Migadu-Scanner: mx13.migadu.com X-Migadu-Spam-Score: -9.72 X-Spam-Score: -9.72 X-TUID: NLPKoVjnR5Cv > > As for not typing the same password twice and not using > org-crypt-use-before-save-magic, we should somehow fix this. > (I am starting a new thread branch.) > =E2=80=9ENot using org-crypt-use-before-save-magic=E2=80=9C is currently a = user decision, not a bug. For instance, I don't use it because it adds around 5 seconds to each saving of a large file. If it were instantaneous I would enable it. With it disabled, this explains why I often find unencrypted sections at the end of the day=E2=80=A6 I have to rely on myself to reencrypt them again. > One simple idea is to disable backups if encryption fails. > Or use `write-contents-functions' instead of `before-save-hook' - that > way, Emacs will not ignore errors thrown by org-crypt and will not > actually save anything if encryption fails. > Disabling backups makes sense too, if we decide that unencrypted private data shouldn't end up in backups. I don't have an absolute opinion. Some people may prefer having backups of all data (including private unencrypted data). If it's possible to detect whether encryption failed in this buffer, there could be a warning saying =E2=80=9ELast encryption failed. Really save?=E2=80=9C. Or just a message in the style of =E2=80=9EEncryption failed. Saving the fi= le may store unencrypted data in disk, and in backups and cache if enabled=E2=80=9C. Totally preventing the user from saving a file seems harsh but it also seems safer. Since users have different safety preferences, Emacs can let the user decide what the do, through a question or optional setting. > > At the end of the day when I do "git diff" + "git commit" sometimes I > > realize there's unencrypted data and then I have to reencrypt it. In > > the meantime I might have killed and reopened the buffer, thus > > updating the file cache. > > That may be a problem by org-encrypt and something to document in > > org-crypt itself. The point is that users of org-encrypt should take > > extra precautions when enabling org-element-cache-persistent. Like: > > not closing buffers while the sections are unencrypted. > > These things should be considered bugs. And we should fix them. Cache and > other libraries should not be responsible for special treatment of > optional org-crypt library. > You can't fix all bugs all the time, so you can't base security on =E2=80= =9Ewe strongly believe there are no more bugs=E2=80=9C. If doing an extra verification (to avoid storing private data on disk in unencrypted form) is fast, it's better with the verification. In addition, =E2=80=9Eleaving some encrypted sections unencrypted for a sho= rt amount of time, and closing and reopening the buffer during that time=E2=80= =9C isn't a bug, it's a possible user behaviour that we can't control. But org-crypt can mention that that behaviour is unsafe when using on-disk cache. Or detect it (if it's fast) and warn the user. > Cache and > other libraries should not be responsible for special treatment of > optional org-crypt library. That's arbitrary. Both persistent cache and org-crypt are optional, but any of them can check whether the other is enabled and try to do what the user wants. I know they both have separate responsibilities, but if there are only these 2 parts, one of them must be the one caring about =E2=80=9Eunencrypte= d data leaking into disk caches=E2=80=9C. It would be different If we had a third component=E2=80=A6 E.g. imagine we = had a component/overlay/text property/=E2=80=A6 in Emacs that could tell whethe= r a buffer's region contains very private information or not; then all other components could just obey that setting (that section won't be backed up, it won't end up in disk cache, =E2=80=A6 It can even be displaye= d in a different face). Then org-crypt just needs to set that flag when encryption fails. Does something like that exist? Anyway this is a bit utopic or overengineered. Simpler ways of improving things are with documentation (e.g. =E2=80=9EDon't do this, it's unsafe=E2=80=9C), with mes= sages (=E2=80=9EYou're doing this, which may be unsafe=E2=80=9C), or with questio= ns (=E2=80=9EReally do this unsafe thing?=E2=80=9C)