A few newbie Qs

Robert J. Hansen rjh at sixdemonbag.org
Sun Apr 27 12:34:07 CEST 2014


> Is this really a useful criterium?

I think so, but I'm well-known for being barking mad.  Hornswoop me
bungo pony, dogsled on ice (red and black, it's their color scheme).  By
the silverfish imperetrix whose incorrupted eye sees through the charms
of doctors and their wives...

(At some point it's really hard to distinguish random Blue Oyster Cult
lyrics from a full-on psychotic episode.)

> execute arbitrary code with your credentials, you should simply
> consider your GnuPG installation compromised whether you use the
> clipboard or not.

C&P is a time machine.

If I enter a passphrase normally on Monday and my machine is compromised
on a Tuesday, I can be confident my certificate is still secure because
I never entered my passphrase on a compromised machine.  If I enter a
passphrase via C&P on Monday and my machine is compromised on a Tuesday,
I suddenly have to worry: was my passphrase still in my C&P buffer?  Did
I remember to wipe the C&P buffer?  Did the C&P buffer get wiped
securely?  Did I...

Generally speaking, it is suboptimal to enter passphrases via C&P.  It
makes it possible for a compromise tomorrow to discover the passphrase
you entered today.

I don't doubt there are situations where it makes sense to use C&P.
I've yet to find one, though.



More information about the Gnupg-users mailing list