Hi GnuPG users, I'm a happy user of PGP and the GPG agent with it's little friend the GTK pinentry program to facilitate usage. I've been starting to wonder, though, how easy it would be to fake a GPG pinentry window.
Let me explain: having several background-ish applications making use of the agent, it happens that the pinentry sometimes pops out when the passphrase cache has expired. One of my first concerns is that there's no way to identify which application actually needs to use my PGP key. This one seems to be partially addressed in [0], as the application could set the title of the pinentry program. However, I can't see any reason why a malicious applications couldn't set the title to some valid application in order to be able to use my key without my consent. This leads me to a generalization of the problem: how easy would it be to create a pinentry-lookalike program, pretending to be called by a valid application in order to steal a user's passphrase? And, then, how can that be prevented? (I mean beside the obvious “don't get your computer hacked” solution) Thanks in advance for your insight. PS: please CC me on any answer as I'm not subscribed to the list. [0] https://bugs.g10code.com/gnupg/issue966 -- Olivier Mehani <[email protected]> PGP fingerprint: 3720 A1F7 1367 9FA3 C654 6DFB 6845 4071 E346 2FD1
pgpMMk2n6tMSO.pgp
Description: PGP signature
_______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
