Has anyone read the article in the most recent 2600 regarding using LD_PRELOAD to eavesdrop on gnupg?
I realize that the actual recovery of a passphrase by this means is no better than keylogger -- But what concerns me more (and isn't explicitely covered in the article) is the ability to inject false randomness into GPG key generation, or even change the plaintext going in. I think the advice to statically link a strcmp and getenv into GPG for purposes of checking/scrubbing the environment is a good one. Sure - you have to trust the machine you're running on - but it seems to me that a basic sanity check would be in order. Thoughts? -M -- Sent from Gmail for mobile | mobile.google.com _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
