Working with an Online and Offline Computer when using GnuPG - Best Practice?
Peter Lebbing
peter at digitalbrains.com
Tue Oct 10 11:22:54 CEST 2017
On 09/10/17 21:14, Stefan Claas wrote:
> So i thought maybe i buy one, let's say with Windows 10, never update
> or upgrade it due to it's permanent offline state
Whether I would consider this sane or not depends a lot on the type of
data you'll be handling on the offline machine. If it's just checking
signatures on plain text, it sounds somewhat reasonable though I would
never consider Windows 10 for it. You don't know all the ways in which
it is trying to be user-friendly by interpreting data. So for all I know
even a short file stored as .txt might be checked to see if perhaps it
can be interpreted as an icon to show in the file manager. Add a buffer
overflow in the icon image parser, and you have an attack vector. At
least with free software, you can inspect the way it works, and probably
isolate all the services that are trying too hard to be helpful.
If, on the other hand, you are using rich file formats like images or
marked up documents, it sounds like a really bad idea to not patch
security vulnerabilities.
Same for Certificate Requests you are going to sign with an X.509
Certificate Authority on the offline system. A much too rich format
(ASN.1!) to not update security issues, but it would be a very common
use case for an offline system.
It would be really helpful if all you needed to transfer to the offline
system were secure data rather than software updates. But if that secure
data is anything more than trivial, I think you really do need updates,
unfortunately.
HTH,
Peter.
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20171010/951b9bf6/attachment.sig>
More information about the Gnupg-users
mailing list