Pinentry makes it awfully easy to snoop all passwords entered by the user

NIIBE Yutaka gniibe at fsij.org
Thu Aug 29 04:17:37 CEST 2013


On 2013-08-28 at 20:46 +0200, Niklas Schnelle wrote:
> However it would be nice to have a way to disable tracing for normal
> users, I mean there isn't really any reason another process should be
> able to watch your processes system calls just like there are
> facilities to keep the kernel from swapping certain RAM areas.

FYI, we have an ticket at BTS:

   https://bugs.g10code.com/gnupg/issue1509

This is not about passphrase but private keys, but discuss same thing.

I'm not sure what kind of threat you imagine.

My solution against the scenario (you suggested) would be just not to
install strace or gdb.  Or, my easier and precise attack would be
replacing pinentry to log sessions to save passphrase(s).
-- 





More information about the Gnupg-devel mailing list