Extra key best solution for very insecure locations?

Andrew Berg bahamut at digital-signal.net
Wed May 9 00:01:43 CEST 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
 
Janusz A. Urbanowicz wrote:
> On Mon, May 07, 2007 at 04:27:55PM +0800, Jim Berland wrote:
>> Hello everybody,
>>
>> I'm trying to find the best solution for using GPG on a USB drive
>> while travelling.
>>
>> I read the FAQ about subkeys which suggests to only use subkeys on
>> insecure computers. As far as I understand this, though, anybody who
>> got hold of my private subkeys would still be able to read all my
>> previous mails. The document was obviously written with workplace
>> computers and such in mind, rather than heavily infected Windows PCs
>> in internet cafes.
>
> I suggest abandoning carrying the key, and taking a good look at
hushmail.com.
Which is probably even less secure. In order to compromise a
PGP-encrypted message (without breaking the encryption), one must have
the private key and passphrase. In order to compromise Hushmail, one
only needs the passphrase, which is easier to obtain remotely. The
former requires a silent keylogger, knowledge of the key's existence,
and a program that will silently copy the key. The former requires an
IE data miner (not uncommon) unless the café owner has another browser
like Firefox or Opera, or allows users to use a portable browser like
Firefox Portable. A keylogger would work for the latter as well.
Personally, I wouldn't take the risk on a machine that I consider
insecure.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 
iQEVAwUBRkDzGviOA0Bgp4/LAQOHTAgApdF9UKbbhyXdU5OdLuSlYHQ2eZ+raWel
vFvnjOFq9NkZIl4YOm8WuZi7Al5Xv7lRzebjcq+4nZOmRkBCY5JnD58bjPFUp4Yv
/B84T/scOV9bfqN2X0BVAA5QMmmy0YQFL9LGPCguidVHO8NikgJpIVaGyBijOiHW
p52AOXSgNrV6U5pLagJffRwnIWEMD+0UGu592YJ6ije9MUqUEN+v3hUQyw1HFtUf
B2KWKQ+apZ3k5muoV0wPjmVPp8kHD65JVRUM90kWiZBRt9gDZzvIBfQwjGFWxhdg
ciTFrn3Y9oXI9pQYsiJopHPKziQeSDLhvLpTfVq1pbfdvgkoSmgntg==
=m4BO
-----END PGP SIGNATURE-----




More information about the Gnupg-users mailing list