No "evidence" is possible

listo factor listofactor at
Sun Nov 13 09:30:24 CET 2016

On 11/07/2016 09:32 PM, Anthony Papillion wrote:
> Is there any evidence that GnuPG password entry is not part of the
> keystroke data sent to Microsoft? Does GnuPG take any steps to avoid
> this? Can it?

It can not.

Even if it was possible to obtain conclusive evidence that
currently installed OS components on some computer do not send
some particular segment of user's data back to the OS vendor,
any new update of the operating system, done automatically,
without continued exhaustive examination of its internals
by the user, could change things and invalidate the "evidence".
Even on Linux systems, there is not much security that can
be guaranteed by any program running on a network-connected

Even if GnuPG encryption and decryption is performed on a
stand-alone computer and transfered for communication to a
networked computer via a memory device, only the content of
the message would be protected. All other data, specifically
a complete network of who communicates with whom, when and
where, is completely open to an adversary. In almost all
real-life threat models, this data is just as sensitive as
is the content of the message.

All of the above is not explained sufficiently well to a
non-technical users. This hardly matters to those that use
GnuPG simply because they believe all e-mail should be
encrypted for philosophical reasons, but can have dire
consequences for those that use the program when they have
a real need for robust protection of their communication.

More information about the Gnupg-users mailing list