STrange message...

Laurent Jumet laurent.jumet at skynet.be
Tue Oct 28 07:55:43 CET 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160


Hello Faramir !

Faramir <faramir.cl at gmail.com> wrote:

>    Well, I _suppose_ (and I can be very wrong about it) it is not a
> threat, probably, since GnuPG is "smart" and it can "decide" what to do,
> depending on the input it receives, probably enigmail detected
> a PGP
> block, and sent it to gpg... and gpg probably detected it was encrypted,
> and asked for a passphrase to decrypt it... I _suppose_ the worst thing
> that can happen, would the secret key being displayed unencrypted in the
> screen... but I doubt somebody would be able to look at it over your
> shoulder and memorize it ;)
>   Anyway, since Thunderbird 2 can run javascript... would it be feasible
> to send a js file attached to a message, resembling Enigmail's
> passphrase dialog?

    GnuPG is not involded.
    Everytime you use a shell, this shell can be:
- -malicious itself, as it sees all your passwords and passphrases.
- -imitated by a remote that sends a window that looks like the original one.

- -- 
Laurent Jumet
      KeyID: 0xCFAF704C
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iHEEAREDADEFAkkGuGMqGGh0dHA6Ly93d3cucG9pbnRkZWNoYXQubmV0LzB4Q0ZB
RjcwNEMuYXNjAAoJEPUdbaDPr3BMlLgAoMKx22a9OTIFzZgqXB/afKH9GR2qAKDg
e9rt714qrLQB1pny0Ngxhfn1EQ==
=xqRz
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list