Confirmation for cached passphrases useful?
Jameson Rollins
jrollins at finestructure.net
Fri Oct 15 23:04:41 CEST 2010
On Fri, 15 Oct 2010 15:36:51 -0400, "Robert J. Hansen" <rjh at sixdemonbag.org> wrote:
> On 10/15/10 2:49 PM, Jameson Rollins wrote:
> > Without use confirmation in the agent, a malicious program running under
> > your account could access your secret key without you knowing it.
>
> This can still happen with a confirmation prompt. Confirmation cannot
> protect against malware running under your account. If the agent pops
> up a dialog box, then all I have to do is intercept the dialog box and
> answer 'yes.'
Ok, then this protects against malicious programs that are not
intercepting the dialog box. Just because a fix for one problem doesn't
solve all possible problems does not mean that it should be ignored.
Don't let the perfect be the enemy of the good.
jamie.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: </pipermail/attachments/20101015/6d0672af/attachment.pgp>
More information about the Gnupg-users
mailing list