Why trust gpg4win?

Robert J. Hansen rjh at sixdemonbag.org
Sun Aug 25 06:04:33 CEST 2013 

On 8/24/2013 5:14 PM, Jan wrote:
> We will not be able to change the fact, that most people use an
> insecure Windows or Mac OS, neither.

In a lot of ways, Windows 7 and beyond are much harder targets to crack
than Linux is -- Microsoft's implementation of ASLR is much stronger
than Linux's, for instance, to name just one technology that makes
Windows 7 a harder target than Linux.

*No* operating system deserves the label "secure."  *All* operating
systems are vulnerable to more or less equal degrees.  The number one
factor in the security of a system is the diligence and attentiveness of
the system administrator.  Someone who keeps a Windows box fully
patched, checks links to make sure they're not being spearphished, who
only runs apps from trusted partners, etc., is going to have a much more
secure operating system than someone running an OpenBSD box but who
clicks on everything they come across.

> GIVEN THAT, can we provide a way of secure communication for the
> majority of the people?

No, not until/unless people are willing to pay the price for secure
communication.  It doesn't come for free.

Give people the choice between insecure but convenient and secure but a
difficult learning curve, and people will overwhelmingly choose the former.

We cannot make people care.  That's one of the hardest truths I've had
to accept.

> It seems quite easy to advice people to have an offline windows PC
> with gpg4win on it and all their private stuff and a windows(?)
> online PC next to it. They could transfer encrypted messages with an
> USB stick from one PC to the other. I think this is a vector for an
> attacker, but how serious is this problem?

Very serious.  USB tokens are great tools for propagating malware.
Compromise the box that's connected to the net, and as soon as someone
plugs a flash drive into it, compromise the flash drive.  Bring it over
to the new computer, plug in there, and bang, you've spanned the air
gap.  This is not a new attack: it's been known about for many years and
has been demonstrated in real-world environments.

More information about the Gnupg-users mailing list