A few newbie Qs

Peter Lebbing peter at digitalbrains.com
Sun Apr 27 11:41:27 CEST 2014


On 27/04/14 03:36, Robert J. Hansen wrote:
> Long passphrases also silently encourage users to do risky things like
> cut-and-paste them. (It's very easy for malware to look at the contents of
> your clipboard buffer.)

Is this really a useful criterium? Sure, by not using the clipboard you might
stop some non-specific malware that simply does data trawling by sending all
likely clipboard contents to a server so a hacker can see if it sees any
passphrases in there. But since the malware is already in the position to
execute arbitrary code with your credentials, you should simply consider your
GnuPG installation compromised whether you use the clipboard or not. It can
simply catch all calls to gpg2 or gpg-agent and prompt you for your passphrase.

If you're talking about a malicious site being open in the browser, I'd very
much like to hear about known, unfixed vulnerabilities that allow
server-supplied code to get at your clipboard. That would be quite a
vulnerability in my eyes.

I use Keepass2 under Debian GNU/Linux to keep all the passphrases I use on this
machine (but my OpenPGP keys are on a smartcard, they're not protected by a
password but by a PIN). Since I'm not aware that there exists a plugin for Linux
integrating Keepass2 and Firefox, I copy-paste all my web passwords, including
high-profile stuff like PayPal. Also, there are some things that will never have
integrated Keepass2 support, like command line tools, which require me to
copy-paste. If I need to check which /other/ websites I have open at the same
time (or rather: close all open websites) whenever I use Keepass2, I'd very much
like to know.

Cheers,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>



More information about the Gnupg-users mailing list