[Council Meeting] Minutes from 2020-06-08

Ben Bucksch ben.bucksch at beonex.com
Mon Jul 6 23:39:16 UTC 2020


> Berna inquired if there are more thoughts on doing a code audit 
> (related to crypto).


An important addition from the security standpoint: If you want to 
secure the crypto users, the scope of an audit must be not only code 
related to crypto, but 100% all of Thunderbird, when it comes to 
critical security holes. Per definition 
<https://www.mozilla.org/en-US/security/advisories/>, any critical hole 
anywhere in Thunderbird allows an attacker to also read the private 
keys, install a keylogger, and read all stored mail, and not only that, 
but most other documents owned of that user on that computer, even 
outside of mail. So, a security audit only of crypto related code is not 
the right perspective.

The best start is to look for critical holes first, before looking for 
crypto audits.

Of course, given that all the crypto code is new, it's a good idea to 
look at that as well.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/tb-planning/attachments/20200707/408141fe/attachment.html>


More information about the tb-planning mailing list