Working with an Online and Offline Computer when using GnuPG - Best Practice?
Stefan Claas
stefan.claas at posteo.de
Tue Oct 10 14:16:23 CEST 2017
Am 10.10.2017 um 11:22 schrieb Peter Lebbing:
> On 09/10/17 21:14, Stefan Claas wrote:
>> So i thought maybe i buy one, let's say with Windows 10, never update
>> or upgrade it due to it's permanent offline state
> Whether I would consider this sane or not depends a lot on the type of
> data you'll be handling on the offline machine. If it's just checking
> signatures on plain text, it sounds somewhat reasonable though I would
> never consider Windows 10 for it. You don't know all the ways in which
> it is trying to be user-friendly by interpreting data. So for all I know
> even a short file stored as .txt might be checked to see if perhaps it
> can be interpreted as an icon to show in the file manager. Add a buffer
> overflow in the icon image parser, and you have an attack vector. At
> least with free software, you can inspect the way it works, and probably
> isolate all the services that are trying too hard to be helpful.
>
> If, on the other hand, you are using rich file formats like images or
> marked up documents, it sounds like a really bad idea to not patch
> security vulnerabilities.
>
> Same for Certificate Requests you are going to sign with an X.509
> Certificate Authority on the offline system. A much too rich format
> (ASN.1!) to not update security issues, but it would be a very common
> use case for an offline system.
>
> It would be really helpful if all you needed to transfer to the offline
> system were secure data rather than software updates. But if that secure
> data is anything more than trivial, I think you really do need updates,
> unfortunately.
>
>
Thanks for your detailed explanation!
The only purpose i will use this offline Netbook for is to
encrypt/decrypt and sign/verify
messages. Nothing more. O.k. and write messages in notepad.
Regards
Stefan
More information about the Gnupg-users
mailing list