Fwd: Re: Fwd: Re: Question for app developers, like Enigmail etc. - Identicons

Ludwig Hügelschäfer ludwig at enigmail.net
Mon Jun 12 21:21:36 CEST 2017


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 12.06.17 20:51, Stefan Claas wrote:
> On 12.06.17 20:18, Ludwig Hügelschäfer wrote:
>> Hi,
>> 
>> On 12.06.17 14:52, Stefan Claas wrote:
>> 
>>> Hi Ludwig,
>>> 
>>> I just checked again. On my Mac and on my Windows Notebook i
>>> get a green bar , from a blue "Untrusted" key when i go into
>>> Enigmails Key Management and set the trust of that key to
>>> Ultimate...
>> Well, ultimate ownertrust is the wrong way. This setting is
>> reserved for your own keys. No wonder you get a green header
>> bar.
>> 
>> What are you trying to achieve?
>> 
> 
> Well, i assume that the majority of people who are using GnuPG are
> using it with Thunderbird/Enigmail.

I'd not sign this statement. A lot of users caring for privacy and
safety won't go for Windows. Thunderbird is not the most popular mail
client on non-windows computers, there quite some other mail clients.

> Let's also assume they are not security experts like all you guys
> here on the list and let's also assume they are following popular
> tutorials like the ones from EFF:
> https://ssd.eff.org/en/module/how-use-pgp-windows because they know
> EFF are good people (like you security experts).
> 
> Now here is my thought. Mallory knows this very well what i have 
> described above and after he gained access to my computer he simply
> replaces on of my locally signed pub keys with a fake one where he
> sets owner trust to ultimate. A user, described as above would imho
> have a hard time to detect a fake pub key, because Enigmail shows
> for both keys a green bar.

As Robert said: If an attacker gains control over your computer,
you're busted, game over.

> Maybe as an additional security feature Enigmail should give a key
> with a set trust level of "Ultimate" a different color than green.

This would also be the case if the attacker gained access to your
computer.

What you can do: Learn, learn by playing, learn by trying to
understand what others write and by asking questions and become a
reasonable critical user. That's the hard way, but you learn best.
Second possibility would be to have a good experienced friend which
guides you along the way. Third way would be to engage an expert which
maintains your computer.

Ludwig
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE4WAgb7FA4aaVxJnYOtv6bQCh5v4FAlk+6b4ACgkQOtv6bQCh
5v7yeg/+NG1ZJOm/is1MyiDI8eGHB2343qmCYjzlrpj5+SYBECMa5FSKqh86z+LS
xMbynzfMIVTR2imt259mHFhCCcBgx067GCCxCFOMgJgafYg0M/kf1bOQF1Hov1lD
969zfYBcHNl2lnOSA5W16nJPY0gaJoa6t+25bf3YDD/+1aMQdZpBmOpxEPPuMUqt
5Qb7LPHh0hhSNoX7TrTqcMEBQtJopDlB94xUShUujMR56udC1Mfo3LDN1BpV00sd
R+La+a94Uu+i9FkEhjFHeTcVlaN9TSofLqGBVID51h2sGG7UK/moOAv55T2GBkuh
zdTp9OirN1OIZbBIMnUfa3oe3ZbCyY24qm/XWA7gn4gTIUX9/QdT6Wz/aBDA9Rq+
fr5RDxXU5S/4kX3HODnUiGqvt8HElQAKmCkiTD6gSLM8Tsw6Bp1DK9AAMHEbgvqS
zT67rKY4ISzW4RTxqHuK4W1bury0TdSlyCCgL33CdUp+xhQazjLRfUQXzSeOaNu2
7/6LRVtOHWWUkpELaNGYGS2CPDMiPvuZuMH/Ut9CYcwGHaf1Rq2F7FH0C2Hha5Uf
6hHWVww+PrNg1Tera/yLn+P8+RCU5tkf8c+injiEN0FjYScXd0YBds704ZjdD8l8
tld1uAcxxI3FYybY05TSjKqdRNpGrJRJ14nb4Djd896jzOZDWJQ=
=CZYK
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list