Visible Password
David Chadwick
d.w.chadwick at kent.ac.uk
Fri Jun 22 19:54:17 CEST 2012
Hi Robert
yes you are right. It does indeed reveal your passphrase.
I also tried to repeat my problem again with GPA, and this time most of
my passphrase appeared in a thunderbird window that had not popped up
when I started to use GPA after immediately reading your email.
Something (I did?) made this window popup in Thunderbird whilst I was
working with GPA.
But I not sure I fully agree with your diagnostic. Say a PC is running
slowly and another window appears just before you start to enter your
passphrase, say due to a slow action that had not finished when you
started GPA, then this new window will grab the keyboard focus without
you realising it (and without pinentry being able to do anything about
it). So your passphrase will go to the new window and should be visible
there straight away.
So I think the problem you mention is slightly different, in that you
are working in the command line mode, you type in your password to the
command line window, but it is not echoed back to you for some reason.
Then you switch to pinentry and it works just fine and exits, then when
the focus returns to the command line, your passphrase is echoed back to
it. My problem was somewhat different, in that a new window appeared in
the GPA window and my password was entered and echoed to it, then the
window disappeared again. What I do not know is what caused this new
window to pop up. I suspect it was a hacker
regards
David
On 22/06/2012 18:04, Robert J. Hansen wrote:
> On 6/22/2012 11:54 AM, David Chadwick wrote:
>> I was demonstrating GPA for the first time to a class of students
>> yesterday and a very strange thing happened.
>
> I was able to recreate this on GPG4WIN Win7/64, incidentally. The
> problem does not appear to be in GPA, but in pinentry. It can be
> recreated with a stock GPG4WIN installation.
>
> Steps:
>
> 1. Open a command window and launch a gpg --edit-key session
> 2. Execute a command that requires passphrase entry
> 3. *Do not* shift focus from the command window
> 4. Type your passphrase. Nothing is visible.
> 5. Shift focus to pinentry
> 6. Type your passphrase and complete the passphrase
> 7. When focus returns to the command window, you'll see your
> passphrase has been entered
>
> This seems to be caused by pinentry not grabbing keyboard focus. It's a
> serious bug, all right.
>
>
--
*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
School of Computing, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick at kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5
*****************************************************************
More information about the Gnupg-users
mailing list