More secure than smartcard or cryptostick against remote attacks?

Peter Lebbing peter at digitalbrains.com
Thu Feb 7 20:31:09 CET 2013


This is silly. Yes, you can do social engineering. That's always possible. And
yes, the attacker will win against me if he wants badly enough. I know that as
well. These are all just generalities.

You seem to be implying that unless something is perfect, something is bogus,
and people should not bother. Well, the perfect is the enemy of the good, and
apart from that, you seem to call not just the OpenPGP smartcard specifically
but everything else as well bogus for being exploitable when enough effort is
put into it. Why do you even have GnuPG if you feel that an attacker worth your
time would have you in his pocket?

Actually, you might want to rethink that whole Fedora thing, because I think
someone has gone through quite some effort for your private key. He even
pretended to be Werner Koch, and laughed himself silly when you gave him a
bloody account to the machine he already owned more than you did.

Better revoke now.

I'm out. You're a smart guy. If you feel those generalities add anything to this
discussion, I feel I'm completely done with it. I can't shake the feeling you're
not in this discussion for the same reason as I.

I just now read your other mail in this thread. In it you say:

> Cards and pinpads are great at protecting private keys from being exported
> off the smartcard, but that's not the same as preventing exploits.

I'm slightly confused. Because everything you object to the device I have in
mind is equally well deployed against the smartcard, yet the smartcard
apparently is not bogus. The smartcard prevents leakage of key material, as long
as you don't put your private key in your keyring as soon as an attacker
disables access to your smart card reader. The plaintext signing device prevents
false signatures, as long as you don't put your private key in your keyring as
soon as an attacker disables access to the device. Yet only the latter is bogus,
and you haven't made clear where the difference then lies.

Whatever.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>



More information about the Gnupg-users mailing list