Why trust gpg4win?

Henry Hertz Hobbit hhhobbit at securemecca.net
Thu Aug 22 23:06:11 CEST 2013

On 08/22/2013 06:22 PM, Jasper den Ouden wrote:
>> The solution of course is as you urged takethebus at gmx.de , to get a
>> free operating system such as Linux or BSD, complete with free 
>> build tools  & compile your own (even non programmers can do that, 
>> eg on an OS downloaded from http://www.freebsd.org
> Compiling your own fixes the issue of the sources not corresponding to
>  binaries. (well possibly there is a hole you compile with a
> compromised binary)

That is why the binaries that are built for you are done by at
least three people and they have to match (diff -b or my hexcmp
spit out nothing and return 0).  That was supposed to handle
the possibility of poison build tools.  If you are that
concerened, disassemble but only programmers that have worked
with assembler code will know what to do with it.  That includes
me but I think we are getting rarer all the time.  But the code
is also getting larger all the time making study of the assembler
code more difficult.

If you ask me, gpg4win was ready for prime time a long time ago.
I haven't finished it but here it is:


If you don't think it is a problem, three of my relatives Windows
OS computers got infected with two of them being in the last two
weeks.  "We like Chrome!"  I like Firefox not for the browser
itself but because NoScript can be slapped onto Firefox.  There
went over 75% of the malware threats from web-sites.  The main
problem after that is PEBKAC - Let me scan your machine - okay.

Since Phil Zimmerman refused to allow government back end hooks
and almost went to jail for it and all kinds of efforts are made
to give a product that can be trusted, then you have to look at
the people.  Well read the comments of the many people like
Werner Koch, David Shaw, Robert Hansen and others reassures me.
They are always concerned about the security of GPG, and GPG4Win.
I don't even worry about that end because they have never said
anything that raises red flags in me.  Now if they said that
NoScript is useles ...

My trust in GPG4Win is entirely predicated on whether the OS
(this is individual) is safe enough.  The NSA didn't use back
end hooks to take down a hacker selling stolen credit card data.
They watched and got his machine infected with their malware.
They stole his key-ring, monitored his key-strokes with a logger,
and then uploaded all of his files. They deciphered the files
and at the right moment snagged him and dragged him off to
court.  Why didn't they use the back end hooks in GPG4Win?
Answer - the probability for back end hooks is very low.

GPG4Win is ready if the Windows system it is used on is ready.
I suspect well over 95% of the Windows OS that are being
considered for slapping GPG4Win on them aren't ready for
GPG4Win being installed on them.  Worry about that first.

GPG4Win is ready.  Windows users, are you?


More information about the Gnupg-users mailing list