Confirmation for cached passphrases useful?

Robert J. Hansen rjh at
Tue Oct 12 06:34:48 CEST 2010

On 10/11/2010 10:44 PM, Daniel Kahn Gillmor wrote:
> It would help against the situation where the malicious client does
> *not* have superuser access and cannot directly override the prompting
> mechanism through other mechanisms.

This attack mode appears to me to be so niche that I don't see any point
in defending against it.  If my attack gives me local access I'm going
to shoot for remote.  If my attack gives me unprivileged access I'm
going to escalate it to root.  This is straight out of the malware
playbook, and malware authors have a great many ways to achieve it.

Heck, this doesn't even defend against an *unprivileged* attack.  Give
me unprivileged access to your user account I'll edit your .profile to
put a .malware/ subdirectory on your PATH and drop my trojaned GnuPG in
there.  Once the malware executes, delete the hidden subdirectory,
restore your original PATH, and send the passphrase it intercepted off
towards my C4I server.

And if we're assuming I've instead subverted an unprivileged non-user
account (like a jailed service), then this "attack" is a nonissue, so
why are we trying to solve it?

This seems like an niche solution to a problem which, as of right now,
is nonexistent.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5598 bytes
Desc: S/MIME Cryptographic Signature
URL: </pipermail/attachments/20101012/8bf94c98/attachment.bin>

More information about the Gnupg-users mailing list