<<< Date Index >>>     <<< Thread Index >>>

Re: mutt/580: mutt stores PGP passphrase insecurely



The following reply was made to PR mutt/580; it has been noted by GNATS.

From: Thomas Roessler <roessler@xxxxxxxxxxxxxxxxxx>
To: bug-any@xxxxxxxxxxxxx, Mutt Developers <mutt-dev@xxxxxxxx>,
        96144@xxxxxxxxxxxxxxx, wk@xxxxxxxxx
Cc: 
Subject: Re: mutt/580: mutt stores PGP passphrase insecurely
Date: Mon, 10 Oct 2005 12:27:54 +0200

 --PuGuTyElPB9bOcsM
 Content-Type: text/plain; charset=iso-8859-1
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 On 2005-10-09 11:03:25 -0400, Derek Martin wrote:
 
 > Well, this is very far from my area of expertise; but we all know
 > someone for whom this kind of issue is near and dear...  Does
 > Werner have anything to say about this?  I could do some
 > research, but I think it would be better to get input from
 > someone with more experience.  FWIW, how does GPG handle this
 > problem?
 
 You can run gpg setuid root so the memory that is used for sensitive
 information is locked.  That helps against having the sensitive
 information in your swap partition.
 
 > I admit, at first glance methods of solving this seem... yucky.
 > For example, locking memory (so that it does not swap to disk)
 > requires root privileges on most platforms... making mutt SUID
 > root seems like a very bad idea.  But perhaps mutt could have its
 > own passphrase agent.
 
 In that case, why not re-use gpg's?
 
 > In the end, you have a point; methods of attacking the passphrase
 > in memory require the ability to either assume the user's
 > privileges, or assume root privileges.  If an attacker can do
 > that, most likely all bets are off anyway.  For example, if a
 > rogue sysadmin were so inclined, he could install a trojaned mutt
 > which collects private key passphrases.
 
 > Still, I'd like to hear what others with more experience than I
 > have to say about this issue.  I think it would be somewhat
 > reassuring for users who don't control the system(s) on which
 > they use mutt, and don't have access to gpgagent, if some attempt
 > at solving this was made.
 
 If you don't control a system and don't trust the people who control
 it, then, please, don't process sensitive information on it.
 
 This also applies, by the way, to running gpg-agent or gpg on such
 systems.
 
 Regards,
 --=20
 Thomas Roessler =B7 Personal soap box at <http://log.does-not-exist.org/>.
 
 --PuGuTyElPB9bOcsM
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.3-cvs (GNU/Linux)
 
 iIAEARECAEAFAkNKQio5FIAAAAAAFQAbcGthLWFkZHJlc3NAZ251cGcub3Jncm9l
 c3NsZXJAZG9lcy1ub3QtZXhpc3Qub3JnAAoJEMrVFmL0y4amtHMAn3VpuIUCwPsV
 HQqMTsEa9Q0oqI9jAJ93HccUs1d9DrtO8rQxY/MzCXqwfQ==
 =88YE
 -----END PGP SIGNATURE-----
 
 --PuGuTyElPB9bOcsM--