Pinentry makes it awfully easy to snoop all passwords entered by the user

[Daniel Kahn Gillmor]

On 08/28/2013 11:39 AM, Niklas Schnelle wrote:

> So as I understand it pinentry is used to request a password from the user
> and it then sends that password to the requesting process via a pipe. The
> problem here is that this
> makes it a lot easier to snoop passwords than if gnupg read them in a more
> direct way.

Surely the same systemcall tracing approach could be tuned to scrape the
passphrases from direct tty input as well?

If i understand it correctly, in newer versions of gpg (2.1, not yet
released afaik), the agent is designed to not transmit passwords to gpg
itself at all; instead, the agent hangs on to the keys and only
asymmetric crypto challenges and responses are communicated between the
agent and the gpg process.  So if you're really only concerned about
what's passing across the pipes then you probably want to move to the
newer version of gpg and test that out.

but basically: if your adversary has root on your machine or has full
control over your local account even, there isn't a way to use gpg (or
any software) safely.  This is unfortunate, but it seems to be the way
things work. :(

Regards,

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20130828/ac8bee11/attachment.sig>