2016-02-21 1:09 GMT+03:00 Matthew Winn <[email protected]>: > On 20/02/16 19:17, Olaf Dabrunz (Vim Github Repository) wrote: >> >> >> This may work if there is a way to keep the external program running >> (maybe attached via Vim's new channel facility). Haven't seen a server mode >> for gpg though. (Batch mode is more like an unattended mode that does only >> one operation.) >> > I'm not keen on the idea of running an external program to do encryption, > for two reasons: > > 1) How do you verify that the external program is doing what it claims to be > doing and hasn't been compromised? > > 2) It's trivially easy to use something like strace to capture plaintext > being sent to the external program. (I've seen exactly this technique used > to capture credit card numbers.)
Vim sends plaintext to the terminal in a way that can be captured by strace (and I have no idea how to avoid this when writing any terminal application), so if strace can be used, using pipes and &cryptprg will not create new vulnerabilities. Pretty sure that with permissions required to run strace capturing at least calls to UI libraries is also possible. > > -- > Matthew Winn > > > -- > -- > You received this message from the "vim_dev" maillist. > Do not top-post! Type your reply below the text you are replying to. > For more information, visit http://www.vim.org/maillist.php > > --- You received this message because you are subscribed to the Google > Groups "vim_dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
