Confirmation for cached passphrases useful?

Hauke Laging mailinglisten at hauke-laging.de
Fri Oct 15 01:45:32 CEST 2010


Am Dienstag 12 Oktober 2010 04:44:41 schrieb Daniel Kahn Gillmor:

> (e.g. one process can send a simulated mouseclick to another process
> pretty easily)

I am not familiar with X details (let alone that other one OS). Does grabbing 
the mouse prevent other processes from knowing where the click occurs? You 
could use a dialog differen from just an OK button. You could display a ten 
times ten array and the user hat to click a certain number. This is similar 
fast to clicking the OK button and easy to remember (always the same number) 
but makes abuse improbable (of course, that is not the level of probability we 
usually have when attacking gpg...).

If other processes cannot read the content of the dialog window then other 
means are possible: Use a blank area with a randomly positioned mark to click 
on.

And react to failures.


Hauke
-- 
PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 555 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20101015/7ae9160f/attachment.pgp>


More information about the Gnupg-users mailing list