[Enigmail] Paste passphrase from clipboard into pinentry dialogbox

Daniel Kahn Gillmor dkg at fifthhorseman.net
Sat Mar 28 19:57:12 CET 2015


[redirecting to gnupg-devel, setting mail-followup-to: there]

On Wed 2015-03-25 18:26:38 -0400, Robert J. Hansen wrote:
>> My guess is that this is for added security.
>
> Correct.  Werner Koch has said several times that he will not change the
> code to permit C&P into the dialog box, as that would leave sensitive
> data in your clipboard -- and the clipboard, by definition, can be read
> by any application, including malware.

If the only concern is leaving sensitive data in the clipboard after
use, maybe pinentry could *accept* pastes, but then also clear the
clipboard after it was pasted into?

I understand that this still "encourages" people to put their
passphrases into the clipboard, but that seems to be happening anyway.

What if, upon accepting a paste, pinentry was to expand the dialog a bit
and show a warning that says something like:

   Pasted!  Your clipboard has also been emptied, so that your
   passphrase isn't exposed to other applications.  GnuPG recommends
   never copying your passphrase to the clipboard.

          --dkg



More information about the Gnupg-devel mailing list