STrange message...

Eric Anopolsky erpo41 at gmail.com
Mon Oct 27 17:27:43 CET 2008


On Mon, 2008-10-27 at 12:00 -0400, Robert J. Hansen wrote:
> > May we assume that this kind of pop-up cannot be imitated by a  
> > hacker that wants us to type our passphrase in his box?
> 
> Of course not.  If your box gets pwned, the person who pwns it can do  
> whatever they want to it.
> 


I think what the original poster is asking is: Provided that a flaw in
my client software is not being exploited, is it possible that this
dialog box is not authentic?

For example, it's no secret that web pages can pop up alert boxes (a
capability that someone visiting from the past might think is the
exclusive domain of client-side applications). So trusting anything that
appears in an alert box would be foolish.

> If your box is compromised, you're in a game over state.

This is true. However, nobody takes the effort to sift through every
byte of machine code on their computer before decrypting a file. It's
also beyond nearly everyone to compile their own software, let alone
audit gnupg, gpgme, and their email client of choice for bugs that could
possibly be used to obtain private keys and passphrases.

So the only thing a user can do in this case is to put a little effort
into developing a sense of which dialog boxes might or might not be
authentic based on how they look. This defeats some attacks.

To answer the original poster's question: You are right to be concerned
that the dialog box you are seeing might not be authentic, and kudos for
being so security-conscious. You are doing better than 99% of the people
out there. If you google "dialog spoofing", you can find out more about
this problem.

Cheers,
Eric

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 481 bytes
Desc: This is a digitally signed message part
URL: </pipermail/attachments/20081027/c78e9ed0/attachment-0001.pgp>


More information about the Gnupg-users mailing list