The following reply was made to PR mutt/580; it has been noted by GNATS. From: Thomas Roessler <[EMAIL PROTECTED]> To: [EMAIL PROTECTED], Mutt Developers <[EMAIL PROTECTED]>, [EMAIL PROTECTED], [EMAIL PROTECTED] Cc: Subject: Re: mutt/580: mutt stores PGP passphrase insecurely Date: Mon, 10 Oct 2005 12:27:54 +0200
--PuGuTyElPB9bOcsM Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2005-10-09 11:03:25 -0400, Derek Martin wrote: > Well, this is very far from my area of expertise; but we all know > someone for whom this kind of issue is near and dear... Does > Werner have anything to say about this? I could do some > research, but I think it would be better to get input from > someone with more experience. FWIW, how does GPG handle this > problem? You can run gpg setuid root so the memory that is used for sensitive information is locked. That helps against having the sensitive information in your swap partition. > I admit, at first glance methods of solving this seem... yucky. > For example, locking memory (so that it does not swap to disk) > requires root privileges on most platforms... making mutt SUID > root seems like a very bad idea. But perhaps mutt could have its > own passphrase agent. In that case, why not re-use gpg's? > In the end, you have a point; methods of attacking the passphrase > in memory require the ability to either assume the user's > privileges, or assume root privileges. If an attacker can do > that, most likely all bets are off anyway. For example, if a > rogue sysadmin were so inclined, he could install a trojaned mutt > which collects private key passphrases. > Still, I'd like to hear what others with more experience than I > have to say about this issue. I think it would be somewhat > reassuring for users who don't control the system(s) on which > they use mutt, and don't have access to gpgagent, if some attempt > at solving this was made. If you don't control a system and don't trust the people who control it, then, please, don't process sensitive information on it. This also applies, by the way, to running gpg-agent or gpg on such systems. Regards, --=20 Thomas Roessler =B7 Personal soap box at <http://log.does-not-exist.org/>. --PuGuTyElPB9bOcsM Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3-cvs (GNU/Linux) iIAEARECAEAFAkNKQio5FIAAAAAAFQAbcGthLWFkZHJlc3NAZ251cGcub3Jncm9l c3NsZXJAZG9lcy1ub3QtZXhpc3Qub3JnAAoJEMrVFmL0y4amtHMAn3VpuIUCwPsV HQqMTsEa9Q0oqI9jAJ93HccUs1d9DrtO8rQxY/MzCXqwfQ== =88YE -----END PGP SIGNATURE----- --PuGuTyElPB9bOcsM-- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]