Gnupg-users Digest, Vol 7, Issue 19

Neil Williams linux at
Wed Apr 14 23:12:36 CEST 2004

On Wednesday 14 Apr 2004 9:31, Kevin McNally wrote:
> Thanks Pete,
> >>From the little information I have found it may be a permissions issue on
> the server, but I can not be sure. Basically this is what happens:
> 1. Someone fills out a form on the website and it is emailed to someone I
> created a key for.
> 2. The recipient gets an email with an encrypted message in the body.
> 3. Once the the email is received, she goes to a seperate webpage on the
> server to decrypt it.
> 4. She copies the encrypted body of the message into a text box on the page
> and types the pass phrase into a sperate field.
> 5. The form data is formatted and dispalyed for her to use.

At which point, all your effort in encrypting the transmitted data is lost! 
Everything that the server displays in the browser is sent in plain text - 
including the decrypted block!! 

Unless the block is decrypted locally, it will be pointless encrypting it in 
the first place! If you never encrypted it in the first place, the data would 
still be sent once in clear text, just like in your system.

The second problem is that the PASSPHRASE is sent in clear text too, so now 
the key is compromised too, or are you doing this over https:// ?

> Does that makes sense?

Umm, No. Sorry.


Neil Williams
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: signature
Url : /pipermail/attachments/20040414/8dde32be/attachment.bin

More information about the Gnupg-users mailing list