More secure than smartcard or cryptostick against remote attacks?

Peter Lebbing peter at digitalbrains.com
Thu Feb 7 20:29:40 CET 2013


On 07/02/13 15:26, Hubert Kario wrote:
> The usual response in this kind of situation is "let me do my damn work
> already" not "hmm, interesting, let's diagnose the issue, other projects be 
> damned". Honestly, I'd probably fall victim to such an attack

Every decision is a weighing of how important things are to you. For most
people, it's a non-issue anyway. So yes, they will just get on with their work
and do the signature in software. But then this device was probably also more of
a gimmick to them. They bought it instead of a simple OpenPGP card, but can't be
bothered to do some investigation when this not quite ordinary piece of
cryptography equipment stops working? I really think their keys and signatures
must not be worth a lot to them then.

I'm not talking about myself. I would buy the device as a gimmick, actually. Or
not at all. I feel perfectly fine with my OpenPGP cards.

By the way, you talk about bisecting code changes and such. I would just grab
one of my other PC's, or install a brand new one. In the end, yes, an attacker
could thwart all my attempts. This isn't any different than for the products
that are already here today, GnuPG itself, the OpenPGP smartcards. The device
where you see your plaintext before you sign it is just an extension of the
smartcard, not a panacea. The smartcard prevents leakage of the key, as long as
you use the smartcard. The plaintext signature device prevents false signatures,
as long as you use the device.

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>



More information about the Gnupg-users mailing list