<<< Date Index >>>     <<< Thread Index >>>

Re: mutt/580: mutt stores PGP passphrase insecurely



On 2005-10-09 11:03:25 -0400, Derek Martin wrote:

> Well, this is very far from my area of expertise; but we all know
> someone for whom this kind of issue is near and dear...  Does
> Werner have anything to say about this?  I could do some
> research, but I think it would be better to get input from
> someone with more experience.  FWIW, how does GPG handle this
> problem?

You can run gpg setuid root so the memory that is used for sensitive
information is locked.  That helps against having the sensitive
information in your swap partition.

> I admit, at first glance methods of solving this seem... yucky.
> For example, locking memory (so that it does not swap to disk)
> requires root privileges on most platforms... making mutt SUID
> root seems like a very bad idea.  But perhaps mutt could have its
> own passphrase agent.

In that case, why not re-use gpg's?

> In the end, you have a point; methods of attacking the passphrase
> in memory require the ability to either assume the user's
> privileges, or assume root privileges.  If an attacker can do
> that, most likely all bets are off anyway.  For example, if a
> rogue sysadmin were so inclined, he could install a trojaned mutt
> which collects private key passphrases.

> Still, I'd like to hear what others with more experience than I
> have to say about this issue.  I think it would be somewhat
> reassuring for users who don't control the system(s) on which
> they use mutt, and don't have access to gpgagent, if some attempt
> at solving this was made.

If you don't control a system and don't trust the people who control
it, then, please, don't process sensitive information on it.

This also applies, by the way, to running gpg-agent or gpg on such
systems.

Regards,
-- 
Thomas Roessler · Personal soap box at <http://log.does-not-exist.org/>.

Attachment: pgpMSvLpGcfD7.pgp
Description: PGP signature