Why trust gpg4win?
takethebus at gmx.de
Thu Sep 12 15:55:24 CEST 2013
thank you for the many answers. Actually this thread should have been called
"Save use of gnuPG for everybody". From what I've learned here so far I come
to the following conclusions:
1. It should be to hard for the average user to configure windows such that
it is a secure system. Hence a linux/unix distribution which is trustworthy,
easy to use and very secure is needed. To me debian seems like a good choice
because it seems to be watched by many people and runs on almost any PC.
2.1 Most people have only one PC and windows as operating system, so the
linux/unix distribution should be installed on an USB device. This device
must not be plugged into the PC if windows is running, in order to avoid a
manipulation. Further I would uninstall the network drivers on the USB
device, so it is almost an offline PC. If the user receives an encrypted
file via email, he saves it to hard disk. Then he turns off the PC, plugs in
the USB drive and boots off it. He copies the file from the hard disk to the
USB drive (this should cause no trouble). Only if the file is of a simple
file format (jpg, RTF, mp3, PDF(?), etc.(?)) he accepts it and opens it with
a secure minimalistic tool. He might even first run a program like an anti
virus software(?) in order to check whether the structure of the file agrees
with the official definition of the sated file format.
2.2 If the user has two PCs, he might install the linux/unix distribution on
his offline PC. Files would be transferred between the two PCs by means of
CD-RWs(?), not by means of insecure USB devices. Auto-Play for CDs would be
Do you see any reasonable attack vectors? What do you think?
----- Original Message -----
From: "NdK" <ndk.clanbo at gmail.com>
To: <gnupg-users at gnupg.org>
Sent: Thursday, September 12, 2013 8:43 AM
Subject: Re: Why trust gpg4win?
> Il 11/09/2013 11:48, Pete Stephenson ha scritto:
>> Actually, I was thinking of something that was the exact opposite:
>> some device (which I don't think exists) that would allow one to
>> connect a USB flash drive to the device, and have the device convert
>> that into RS232 serial data for the computer, thus avoiding any USB
>> interaction with the computer itself. The computer would then need to
>> process the serial data to read or write files on the drive. As far as
>> I know, nothing like that exists and I'm not sure if it'd be possible
>> to do. Even if it was possible, it'd be immensely slower than normal
>> USB connections.
> Actually such a module exists, and is used to add flash disk access to
> small microcontrollers: it's VDrive2 (VNC1L module) by Vinculum
> I don't think it adds anything to security, but at least it's doable :)
> If you are *so* concerned about key security, it's better to use an HSM.
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
More information about the Gnupg-users