Re: No empty master password allowed in FIPS Software Security Device

2020-03-15 Thread mozilla-lists . mbourne 

Frank-Rainer Grahl wrote:

mozilla-lists.mbou...@spamgourmet.com wrote:

Steve Dunn wrote:
 Can a master password be set after the upgrade has been 
completed, or must all saved passwords be left insecure until 
whenever this bug is fixed? The release notes don't actually say - 
they just say you have to remove the master password before upgrading 
and them delete two files with unencrypted passwords in them after 
upgrading.


The way I interpret it is not that it's a bug, but that the format of 
the files is changed in the new version and can't be converted on 
first use of the new version if a master password is set.


Correct. Thunderbird did track this in
https://bugzilla.mozilla.org/show_bug.cgi?id=1510212

I am not sure if it has been fully solved but the issue does not occur 
if the
master password is removed before migration so we still think this is 
the best way. You can set it afterwards and now with a better 
encryption. Just make sure to delete the old key3.db and cert8.db.


The discussion on that bug fits with what I've experienced.  In 
particular, from comment 4:

The bug happens, if the old (pre-60) NSS DB (key3):
- contains keys
- has a master password set
- is not unlocked during the first program session of a 60.x version


If I enter my master password at some point during the FIRST EVER 
session of 2.53.1, the passwords are converted.  If I don't, the old 
key3.db file is deleted without converting into the new format, and the 
passwords are lost.


As you say, it seems it is not fully solved in SeaMonkey 2.53.1, and 
there is a risk of losing passwords and certificates if the master 
password is not removed before migrating (even if intending to enter it 
during the first session, interruptions/crashes/hangs/power outages can 
happen).  Removing the master password first, as recommended, is the 
easy and safe option.


- There doesn't seem to be any problem setting a master password in 
2.53.1 once the profile has been converted.  Having done so, I assume 
it is actually encrypting the saved passwords (though it would be good 
to have that confirmed).


Yes and hopefully with better encryption.


Great, thanks for confirming that.

I will, of course, be backing up my profile before upgrading SeaMonkey 
on my live system!


That is really recommended.


Having a backup has got me out of a few issues before.  Usually all goes 
well, but it's better to be safe.  I don't usually go as far as testing 
it in a VM, but this time wanted to check that I wouldn't lose all the 
saved passwords by deleting key3.db and cert8.db (and having taken the 
time to set that up, figured I may as well experiment with a few more 
risky options).


--
Mark.

___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: No empty master password allowed in FIPS Software Security Device

2020-03-15 Thread Steve Dunn 

On 2020-03-14 20:40, Frank-Rainer Grahl wrote:

mozilla-lists.mbou...@spamgourmet.com wrote:
- There doesn't seem to be any problem setting a master password in 
2.53.1 once the profile has been converted.  Having done so, I assume 
it is actually encrypting the saved passwords (though it would be good 
to have that confirmed).


Yes and hopefully with better encryption.


	Thank you.  That answers the question that was not addressed by the 
release notes.


-Steve

___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: No empty master password allowed in FIPS Software Security Device

2020-03-14 Thread Frank-Rainer Grahl 

mozilla-lists.mbou...@spamgourmet.com wrote:

Steve Dunn wrote:

On 2020-03-05 15:17, Frank-Rainer Grahl wrote:
Check the password manager in the upgraded install. At least until recently 
this didn't work.


I tested only on Windows and left the new password blank e.g no chars 
entered. This worked fine for me.


 Can a master password be set after the upgrade has been completed, or 
must all saved passwords be left insecure until whenever this bug is fixed?  
The release notes don't actually say - they just say you have to remove the 
master password before upgrading and them delete two files with unencrypted 
passwords in them after upgrading.


The way I interpret it is not that it's a bug, but that the format of the 
files is changed in the new version and can't be converted on first use of the 
new version if a master password is set.


Correct. Thunderbird did track this in
https://bugzilla.mozilla.org/show_bug.cgi?id=1510212

I am not sure if it has been fully solved but the issue does not occur if the
master password is removed before migration so we still think this is the best 
way. You can set it afterwards and now with a better encryption. Just make 
sure to delete the old key3.db and cert8.db.


- There doesn't seem to be any problem setting a master password in 2.53.1 
once the profile has been converted.  Having done so, I assume it is actually 
encrypting the saved passwords (though it would be good to have that confirmed).


Yes and hopefully with better encryption.

I will, of course, be backing up my profile before upgrading SeaMonkey on my 
live system!


That is really recommended.

FRG

___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: No empty master password allowed in FIPS Software Security Device

2020-03-14 Thread mozilla-lists . mbourne 

Steve Dunn wrote:

On 2020-03-05 15:17, Frank-Rainer Grahl wrote:
Check the password manager in the upgraded install. At least until 
recently this didn't work.


I tested only on Windows and left the new password blank e.g no chars 
entered. This worked fine for me.


 Can a master password be set after the upgrade has been completed, 
or must all saved passwords be left insecure until whenever this bug is 
fixed?  The release notes don't actually say - they just say you have to 
remove the master password before upgrading and them delete two files 
with unencrypted passwords in them after upgrading.


The way I interpret it is not that it's a bug, but that the format of 
the files is changed in the new version and can't be converted on first 
use of the new version if a master password is set.


Having experimented with upgrading from 2.49.5 to 2.53.1 in a Linux Mint 
VM today...


- Deleting key3.db and cert8.db doesn't seem to result in losing any 
data (I wasn't sure just reading the release notes).  On first start, 
2.53.1 creates two new files key4.db and cert9.db, presumably containing 
the same data but in the new format.  The upgrade seems to remove the 
old key3.db anyway, and deleting cert8.db doesn't seem to lose anything 
(all my saved passwords are still there, and nothing noticeably missing 
from the Certificate Manager).


- There doesn't seem to be any problem setting a master password in 
2.53.1 once the profile has been converted.  Having done so, I assume it 
is actually encrypting the saved passwords (though it would be good to 
have that confirmed).


- I also tried just starting the new version without first removing the 
master password in 2.49.5 (against the advice of the release notes).  As 
others have mentioned, that also seemed to work fine - provided you 
enter the master password when prompted on first starting 2.53.1.  If 
you cancel that prompt and exit SeaMonkey, next time there is no prompt 
for the master password and all the passwords are gone!  I wouldn't 
recommend going against the advice of the release notes though; this was 
just out of interest, working with a copy of my profile which I didn't 
mind trashing.  Although it seemed to work for me, there might be some 
issue I haven't noticed, and for all I know it might also depend on the 
OS, exactly which version the upgrade is from, installed extensions, 
configuration settings, the day of the week...


I will, of course, be backing up my profile before upgrading SeaMonkey 
on my live system!


--
Mark.

___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: No empty master password allowed in FIPS Software Security Device

2020-03-07 Thread Ricardo Palomares Martí­nez 
El 5/3/20 a las 22:13, David E. Ross escribió:
> 
> 1.  Install the Password Exporter extension.  Since the "vanilla"
> version is not compatible with SeaMonkey, I am uploading my converted
> version to my Web site.  It is at
> .  (I will
> remove it from my Web site in two weeks.)
> (...)

Thank you very much. I've downloaded it and use it to follow your steps.

But, since I had the exported passwords and a full profile backup, I
dared to upgrade WITHOUT first removing the master password...

And guess what! Everything worked OK! I tested a number of saved
passwords in different websites, until I got tired of being successful
in every try. The email accounts work fine, too, and I have some X.509
certificates that also worked OK.

Still, I do not endorse anyone to do the same than me; if you do, be
absolutely sure that you have a good, complete backup of your profile
(and, if you have more than one profile, remember to follow steps for
each one).


> If you cannot import your passwords without first establishing a master
> password, then you have a version of SeaMonkey that has been tailored to
> meet FIPS security requirements.  (FIPS means "federal information
> processing statndards" and is imposed on government and government
> contractor computer installations.)


I'm using official builds of SeaMonkey, but my profile may be dated
back to 1995, when I started using Netscape as my email agent. It was
created on Windows 3.11 and ported to Linux some years after that. I'm
definitely using this profile on Linux with Mozilla Suite since, at
least, 2002. Could it be that the FIPS tail comes from that old ages?

Thanks a lot for all your help.

-- 
Proyecto NAVE (Mozilla es-ES Localization Team)
Mozilla Hispano Community

___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: No empty master password allowed in FIPS Software Security Device

2020-03-07 Thread Ricardo Palomares Martí­nez 
El 6/3/20 a las 6:37, jcteyssi...@gmail.com escribió:
> 
> One idea: just replace linux's profile (after abckup of course) with win 10's 
> one since mastrer password deleted?
> 


Profiles in Linux and Windows are different, so I can't do that. :-)
Actually, the Windows 10 profile is a very basic one (no email
accounts, for instance) with just one saved password added to test the
procedure.

Thanks anyway. In my reply to David E. Ross I explain the (surprising)
outcome of my story.

-- 
Proyecto NAVE (Mozilla es-ES Localization Team)
Mozilla Hispano Community

___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: No empty master password allowed in FIPS Software Security Device

2020-03-06 Thread David E. Ross 
On 3/6/2020 11:17 AM, Steve Dunn wrote:
> On 2020-03-05 15:17, Frank-Rainer Grahl wrote:
>> Check the password manager in the upgraded install. At least until 
>> recently this didn't work.
>>
>> I tested only on Windows and left the new password blank e.g no chars 
>> entered. This worked fine for me.
> 
>   Can a master password be set after the upgrade has been completed, or 
> must all saved passwords be left insecure until whenever this bug is 
> fixed?  The release notes don't actually say - they just say you have to 
> remove the master password before upgrading and them delete two files 
> with unencrypted passwords in them after upgrading.
> 
> -Steve
> 

I was not sure about that, so here is what I did.

1.  Already having the Password Exporter extension installed, I exported
all my passwords.

2.  I went to [Edit > Privacy & Security > Master Passwords] and
selected the Reset Password button.

3.  I updated SeaMonkey.

4.  I went to [Edit > Privacy & Security > Master Passwords] and
established a master password.

5.  I used the Password Exporter extension to import the passwords from
the exported file.

6.  I used a STRONG file eraser to erase the exported file.

-- 
David E. Ross


Beyond Meat and other such vegetarian meat substitutes
represent the ultimate in ultra-processed foods.  Real
meat is natural.  Beyond Meat is definitely not.  No,
I do NOT own a cattle ranch, a butcher shop, or any
other business doing commerce in meat.
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: No empty master password allowed in FIPS Software Security Device

2020-03-06 Thread Steve Dunn 

On 2020-03-05 15:17, Frank-Rainer Grahl wrote:
Check the password manager in the upgraded install. At least until 
recently this didn't work.


I tested only on Windows and left the new password blank e.g no chars 
entered. This worked fine for me.


	Can a master password be set after the upgrade has been completed, or 
must all saved passwords be left insecure until whenever this bug is 
fixed?  The release notes don't actually say - they just say you have to 
remove the master password before upgrading and them delete two files 
with unencrypted passwords in them after upgrading.


-Steve
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: No empty master password allowed in FIPS Software Security Device

2020-03-05 Thread jcteyssier1 
Le jeudi 5 mars 2020 20:23:23 UTC+1, Ricardo Palomares Martí­nez a écrit :
> Hi,
> 
> I'm running SeaMonkey 2.49.5 on Linux (since 1995 starting with
> Netscape 4, perhaps). I was ready to replace the master password with
> an empty one, but it turns out that SeaMonkey does not allow me to set
> an empty password.
> 
> At the same time, I repeated the steps on a recent installation on
> Windows 10, and I had no trouble to set an empty password. The
> difference? On Windows 10, the Security Device is named "Software
> Security Device", whereas on Linux it is named "Software Security
> Device (FIPS)".
> 
> Is it just a matter of naming? And, if so, can I rename it?
> 
> On the other side, in the Windows 10 installation, with just a simple
> saved password, I purposely upgraded to 2.53.1 without emptying the
> master password, just to see what errors or malfunctions happened.
> And, funnily enough, nothing wrong happened; the saved password was
> still there.
> 
> I'm ready to just do a profile backup and try the direct upgrade with
> a master password set, but in case it fails, I wonder how could I fix it.
> 
> TIA
> 
> -- 
> Proyecto NAVE (Mozilla es-ES Localization Team)
> Mozilla Hispano Community

One idea: just replace linux's profile (after abckup of course) with win 10's 
one since mastrer password deleted?
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: No empty master password allowed in FIPS Software Security Device

2020-03-05 Thread David E. Ross 
On 3/5/2020 11:23 AM, Ricardo Palomares Martí­nez wrote:
> Hi,
> 
> I'm running SeaMonkey 2.49.5 on Linux (since 1995 starting with
> Netscape 4, perhaps). I was ready to replace the master password with
> an empty one, but it turns out that SeaMonkey does not allow me to set
> an empty password.
> 
> At the same time, I repeated the steps on a recent installation on
> Windows 10, and I had no trouble to set an empty password. The
> difference? On Windows 10, the Security Device is named "Software
> Security Device", whereas on Linux it is named "Software Security
> Device (FIPS)".
> 
> Is it just a matter of naming? And, if so, can I rename it?
> 
> On the other side, in the Windows 10 installation, with just a simple
> saved password, I purposely upgraded to 2.53.1 without emptying the
> master password, just to see what errors or malfunctions happened.
> And, funnily enough, nothing wrong happened; the saved password was
> still there.
> 
> I'm ready to just do a profile backup and try the direct upgrade with
> a master password set, but in case it fails, I wonder how could I fix it.
> 
> TIA
> 

1.  Install the Password Exporter extension.  Since the "vanilla"
version is not compatible with SeaMonkey, I am uploading my converted
version to my Web site.  It is at
.  (I will
remove it from my Web site in two weeks.)

2.  Use the extension to export all your passwords to a location on your
computer.  This is done by using Add-ons Manager to access the
extension's options.

3.  Open SeaMonkey's Preference window.  On the left side under
Category, select [Privacy & Security > Master Passwords].

4.  On the Master Passwords pane, select the Reset Password button.
Give positive responses to any dialogues.  Then close down the
Preferences window and its subsidiary widnows and dialogues.

5.  Again, use the Password Exporter extension to import your passwords
from where you exported them.

If you cannot import your passwords without first establishing a master
password, then you have a version of SeaMonkey that has been tailored to
meet FIPS security requirements.  (FIPS means "federal information
processing statndards" and is imposed on government and government
contractor computer installations.)

-- 
David E. Ross


Trump says U.S. considering restrictions at Mexican
border over coronavirus -- Reuters News (1 March)

Per Reuters, Mexico has reported 5 cases of
COVID-19.  Per the Canada Broadcasting Corporation,
Canada has reported 38 cases.  Why is not our northern
border also being closed?  (News reports as of 3 March)

___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: No empty master password allowed in FIPS Software Security Device

2020-03-05 Thread Frank-Rainer Grahl 

Ricardo Palomares Martí­nez wrote:

Hi,

I'm running SeaMonkey 2.49.5 on Linux (since 1995 starting with
Netscape 4, perhaps). I was ready to replace the master password with
an empty one, but it turns out that SeaMonkey does not allow me to set
an empty password.

At the same time, I repeated the steps on a recent installation on
Windows 10, and I had no trouble to set an empty password. The
difference? On Windows 10, the Security Device is named "Software
Security Device", whereas on Linux it is named "Software Security
Device (FIPS)".

Is it just a matter of naming? And, if so, can I rename it?

On the other side, in the Windows 10 installation, with just a simple
saved password, I purposely upgraded to 2.53.1 without emptying the
master password, just to see what errors or malfunctions happened.
And, funnily enough, nothing wrong happened; the saved password was
still there.

I'm ready to just do a profile backup and try the direct upgrade with
a master password set, but in case it fails, I wonder how could I fix it.

TIA

Check the password manager in the upgraded install. At least until recently 
this didn't work.


I tested only on Windows and left the new password blank e.g no chars entered. 
This worked fine for me.


FRG
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

No empty master password allowed in FIPS Software Security Device

2020-03-05 Thread Ricardo Palomares Martí­nez 
Hi,

I'm running SeaMonkey 2.49.5 on Linux (since 1995 starting with
Netscape 4, perhaps). I was ready to replace the master password with
an empty one, but it turns out that SeaMonkey does not allow me to set
an empty password.

At the same time, I repeated the steps on a recent installation on
Windows 10, and I had no trouble to set an empty password. The
difference? On Windows 10, the Security Device is named "Software
Security Device", whereas on Linux it is named "Software Security
Device (FIPS)".

Is it just a matter of naming? And, if so, can I rename it?

On the other side, in the Windows 10 installation, with just a simple
saved password, I purposely upgraded to 2.53.1 without emptying the
master password, just to see what errors or malfunctions happened.
And, funnily enough, nothing wrong happened; the saved password was
still there.

I'm ready to just do a profile backup and try the direct upgrade with
a master password set, but in case it fails, I wonder how could I fix it.

TIA

-- 
Proyecto NAVE (Mozilla es-ES Localization Team)
Mozilla Hispano Community
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey