On 11/07/2016 09:32 PM, Anthony Papillion wrote: ...
Is there any evidence that GnuPG password entry is not part of the keystroke data sent to Microsoft? Does GnuPG take any steps to avoid this? Can it?
It can not. Even if it was possible to obtain conclusive evidence that currently installed OS components on some computer do not send some particular segment of user's data back to the OS vendor, any new update of the operating system, done automatically, without continued exhaustive examination of its internals by the user, could change things and invalidate the "evidence". Even on Linux systems, there is not much security that can be guaranteed by any program running on a network-connected computer. Even if GnuPG encryption and decryption is performed on a stand-alone computer and transfered for communication to a networked computer via a memory device, only the content of the message would be protected. All other data, specifically a complete network of who communicates with whom, when and where, is completely open to an adversary. In almost all real-life threat models, this data is just as sensitive as is the content of the message. All of the above is not explained sufficiently well to a non-technical users. This hardly matters to those that use GnuPG simply because they believe all e-mail should be encrypted for philosophical reasons, but can have dire consequences for those that use the program when they have a real need for robust protection of their communication. _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
