michael graffam michael.graffam at gmail.com
Wed Jun 11 16:43:02 CEST 2008

Has anyone read the article in the most recent 2600 regarding using
LD_PRELOAD to eavesdrop on gnupg?

I realize that the actual recovery of a passphrase by this means is no
better than keylogger --

But what concerns me more (and isn't explicitely covered in the
article) is the ability to inject false randomness into GPG key
generation, or even change the plaintext going in.

I think the advice to statically link a strcmp and getenv into GPG for
purposes of checking/scrubbing the environment is a good one.

Sure - you have to trust the machine you're running on - but it seems
to me that a basic sanity check would be in order.



Sent from Gmail for mobile | mobile.google.com

More information about the Gnupg-users mailing list