[prev in list] [next in list] [prev in thread] [next in thread]
List: gnupg-devel
Subject: Re: Pinentry makes it awfully easy to snoop all passwords entered by the user
From: Werner Koch <wk () gnupg ! org>
Date: 2013-08-29 7:46:46
Message-ID: 87y57lq6qh.fsf () vigenere ! g10code ! de
[Download RAW message or body]
On Wed, 28 Aug 2013 20:12, dkg@fifthhorseman.net said:
> released afaik), the agent is designed to not transmit passwords to gpg
> itself at all; instead, the agent hangs on to the keys and only
> asymmetric crypto challenges and responses are communicated between the
> agent and the gpg process. So if you're really only concerned about
Right. However, the pinentry is still used to ask for the passphrase or
PIN. As a separate process it also communicates via pipes.
> but basically: if your adversary has root on your machine or has full
> control over your local account even, there isn't a way to use gpg (or
Right. As soon as you can ptrace a process it is really easy to figure
out anything. An adversary might also use gdb to grab interesting
things. I do that all the time during debugging.
Protecting one from herself is not possible.
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
_______________________________________________
Gnupg-devel mailing list
Gnupg-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic