<<< Date Index >>>     <<< Thread Index >>>

Re: mutt/580: mutt stores PGP passphrase insecurely



On Mon, Oct 24, 2005 at 11:53:52AM -0400, David Shaw wrote:
> I think it's possible to invest a lot of effort into the whole secure
> memory question.  It's a real issue, to be sure, but how relevant is
> it to most people?  For example, it's possible for an attacker with
> root access to sniff out a passphrase from swap... but really, if an
> attacker had root access, the game was already lost.

I believe this is very much not the case with regard to one's personal
security and encrypted files.  My understanding is that even if the
attacker has the user's private key, it is next to useless unless they
also have the passphrase.  Brute force passphrase attacks are
exceedingly difficult to effect, making them prohibitive for most, if
not all attackers.

If the solution I proposed is considered acceptable, then it would
seem to involve very little effort indeed, and provides a significant
enhancement to security.  Mutt can still install without the SUID bit
set by default, but should be very clear in the manual in big bold
letters (figuratively, if not literally) about the implications of
both installing SUID and not installing SUID.  I'd say that would
warrant mention in both README and in INSTALL as well...  In fact,
even if the maintainers decide to do nothing else, I think the risks
should be documented in the manual and in README.

If I have some free time this week, and Tamo doesn't beat me to it, I
may hack this up.  I'd need to investigate the "right" way to do this,
so I'll probably want to take a look at the code in gpg first...

-- 
Derek D. Martin    http://www.pizzashack.org/   GPG Key ID: 0xDFBEAD02
-=-=-=-=-
This message is posted from an invalid address.  Replying to it will result in
undeliverable mail.  Sorry for the inconvenience.  Thank the spammers.

Attachment: pgpAwO30HmzfY.pgp
Description: PGP signature