Confirmation for cached passphrases useful?

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Oct 12 04:44:41 CEST 2010


On 10/11/2010 10:20 PM, Robert J. Hansen wrote:
> On 10/11/2010 9:25 PM, Hauke Laging wrote:
>> I just had the idea that it might be a good countermeasure against 
>> malicious software not to use a cached passphrase without any user 
>> interaction (and thus without user notice).
> 
> The most obvious way I see to circumvent this involves throwing a
> trampoline on the UI library and bypassing this code entirely. It's a
> two-hour hack, assuming you already have root access to the system.

If you already have root access on the system, then yes -- all bets are
off.  but that's the case anyway when the malicious attacker has root
access.

> It
> might make users *feel* more secure, but it doesn't actually help
> overall system security -- IMO, at least.  YMMV.

It would help against the situation where the malicious client does
*not* have superuser access and cannot directly override the prompting
mechanism through other mechanisms.

Many standard X11 desktops today don't have such protections in place
(e.g. one process can send a simulated mouseclick to another process
pretty easily) but that doesn't mean no one is running with a
well-isolated gpg-agent.

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20101011/d6f0c2b0/attachment-0001.pgp>


More information about the Gnupg-users mailing list