On Fri, Oct 07, 2005 at 02:42:51PM +0200, Thomas Roessler wrote: > On 2005-10-07 04:35:02 +0200, Derek Martin wrote: > > > Er, well, come on... just because Mutt *can* use an auxiliary > > program to handle encryption passphrases securely doesn't mean > > mutt itself should completely ignore the issue. As shipped, > > mutt is vulnerable. > > > Admittedly this is not a severe issue, but it is a legitimate > > security concern. I think this really ought to be re-opened. > > I disagree, unless someone can actually demonstrate (a) a realistic > attack model against which mutt is vulnerable, and (b) a defense > against this attack model that could be implemented. > > Hint: Encrypting the pass phrase with a symmetric key that is kept > in memory is *not* a solution to an attack that is based on reading > the pass phrase from memory, since the attack is now shifted to the > equivalently complex reading of the symmetric key from memory. Well, this is very far from my area of expertise; but we all know someone for whom this kind of issue is near and dear... Does Werner have anything to say about this? I could do some research, but I think it would be better to get input from someone with more experience. FWIW, how does GPG handle this problem? I admit, at first glance methods of solving this seem... yucky. For example, locking memory (so that it does not swap to disk) requires root privileges on most platforms... making mutt SUID root seems like a very bad idea. But perhaps mutt could have its own passphrase agent. In the end, you have a point; methods of attacking the passphrase in memory require the ability to either assume the user's privileges, or assume root privileges. If an attacker can do that, most likely all bets are off anyway. For example, if a rogue sysadmin were so inclined, he could install a trojaned mutt which collects private key passphrases. Still, I'd like to hear what others with more experience than I have to say about this issue. I think it would be somewhat reassuring for users who don't control the system(s) on which they use mutt, and don't have access to gpgagent, if some attempt at solving this was made. -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0xDFBEAD02 -=-=-=-=- This message is posted from an invalid address. Replying to it will result in undeliverable mail. Sorry for the inconvenience. Thank the spammers.
Attachment:
pgpym4NTEZ2vI.pgp
Description: PGP signature