Re: [Enigmail] Paste passphrase from clipboard into pinentry dialogbox
On 29/03/2015 9:47 am, Jérôme Pinguet wrote: By the way Daniel, thanks for your GPG best practices page and more generally for your work related to GPG, Riseup and Debian! :-) I often refer to Riseup GPG Best practices during the cryptoparties I organize in Marseille. Great to hear that at least somewhere in the world people are still running cryptoparties like two and a half years ago (in spite of the quite vicious attack on Asher by certain misogynistic hacker types in a certain European computing club). So though we don't run them ourselves anymore, or at least for the moment, we're always very pleased to hear that the original idea is not dead. Cheers! :) Regards, Ben signature.asc Description: OpenPGP digital signature ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
Re: [Enigmail] Paste passphrase from clipboard into pinentry dialogbox
On 5/04/2015 11:50 pm, Patrick Brunschwig wrote: On 05.04.15 15:41, Ben McGinnes wrote: However, if you're in real trouble from this, the version of pinentry and gpg-agent I have running with GPG 2.1.2 include a little tick box which allows the passphrase to be visible when you type it in. I don't use it myself, but no doubt others will. Presumably you can't see that and I assume it is gpg-agent itself (bundled with the GnuPG release) rather than pinentry, which is the same library for both 2.0 and 2.1. That's the special version of pinentry for Mac OS X only. pinentry-mac is not part of the official GnuPG toolchain but maintained separately. The versions for Windows and Linux (which are provided by GnuPG) don't have this feature. Interesting, I hadn't realised that. Especially since I'm not using GPGTools, though that is tucked away in its own little directory, safely out of the way of anything resembling my $PATH. This whole setup is a slightly customised compilation of the sources from MacPorts and the gnupg-2.1.2 tarball's checksum matched the one I originally downloaded from gnupg.org, hence assuming that it was the same gpg-agent. Since it isn't that might explain a few things, like how I was finally able to get past those damned linker errors which prevented compiling that other copy (and all its predecessors). Well, I'm sure it will be more or less fine. I only made the switch now because somebody decided to drop support for 1.4 in Enigmail. ;) Anyway, I'm pretty sure that the only configuration detail I haven't yet fully tracked down in the new system is getting proxies correctly configured for accessing the keyservers (to avoid traffic analysis under the new mandatory data retention laws here and potentially reveal the identities of those I'm corresponding with). If that can't really be sorted out easily, though, I'll just add an SKS server after I next upgrade my server and counter that sort of analysis with everything. It's only about 6.5Gb anyway. Regards, Ben signature.asc Description: OpenPGP digital signature ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
Re: [Enigmail] Paste passphrase from clipboard into pinentry dialogbox
On 26/03/2015 9:36 am, Andre Lahmann wrote: Ok, just for the record: this is an issue with pinentry - see e.g. https://bugs.launchpad.net/ubuntu/+source/pinentry/+bug/326132 https://bugs.g10code.com/gnupg/issue1374 https://bugs.g10code.com/gnupg/issue1368 It's absolutely ridiculous how usability is screwed by design and justified with security reasons... As Ludwig and Robert said, there are good reasons. However, if you're in real trouble from this, the version of pinentry and gpg-agent I have running with GPG 2.1.2 include a little tick box which allows the passphrase to be visible when you type it in. I don't use it myself, but no doubt others will. Presumably you can't see that and I assume it is gpg-agent itself (bundled with the GnuPG release) rather than pinentry, which is the same library for both 2.0 and 2.1. Regards, Ben signature.asc Description: OpenPGP digital signature ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
Re: [Enigmail] Paste passphrase from clipboard into pinentry dialogbox
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 29/03/2015 10:32, Samir Nassar wrote: On Sunday, March 29, 2015 10:26:53 AM Anne Wilson wrote: Personally I prefer my password to be reference to a book - and you haven't a snowball in hell's chance of knowing which book or what reference to it :-) I doubt if even my closest family would guess the book. You might be wrong, you might be right, at most you are right for the situation you live in. Part of the discussion happening here is about general principles that cover cases where the risk is assessed to be adversaries who are making trillion guesses per second. I'm cautious, but not paranoid. Since the result looks like a random sequence it would not be easy to crack, and there are certainly easier places for him to go. However, I appreciate that in some circumstances, for example corporate accounts, you may have to take some additional precaution. I do feel strongly, though, that the more complicated something is, and the more steps it takes to complete the entry, the more you increase the risk. A personal opinion, though. Anne -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlUX6wcACgkQj93fyh4cnBfX1QCfXL9Tv1peMBvRXi0iaclyMGww jsUAniWlJT//9M9HbaGoaG3OW1ZQojCM =vmqp -END PGP SIGNATURE- ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
Re: [Enigmail] Paste passphrase from clipboard into pinentry dialogbox
On 28/03/15 20:30, Daniel Kahn Gillmor wrote: I quite like the Keepass approach. But it's not clear to me that this will work, at least for the versions of pinentry i've seen that grab the input devices (i'm seeing this on X11, at any rate). In this case, I don't think there is a way to trigger keepass to get it to type into the pinentry dialog. What platforms as this approach been tested on? I used KeePass2 on WindowsXP and 7 for some years and the autotype with 2 channel obfuscation worked very well as did the selection and inclusion of the various dialog boxes that would require auto-completion with either username and password or just password according to the case. This included the pinentry boxes. KeePass2 wipes the clipboard after a delay which can be set by the user. When I moved from Windows to UbuntuStudio 14.04, I tried KeePassX which was in the distro as standard but it seemed to me more limited so I went back to KeePass2 and had quite a bit of trouble to get the autotype working although the KeePass website does have some info. The difficulty was linked to the dependence on mono. It still doesn't work in the same easy fashion that I had with Windows7 and I can't get a system wide keyboard shortcut for autotype to work at all. Nor can I get the KeePass2 shortcut of Ctrl-V to do the autotype but a rightclick followed by a left click on the dropdown list does work ok. (I noticed a Ubuntu software update a few days ago included some stuff on mono. Today, I have found that my keyboard numeric pad no longer works inside KeePass2 and I'm wondering if the two events are connected.) Philip signature.asc Description: OpenPGP digital signature ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
Re: [Enigmail] Paste passphrase from clipboard into pinentry dialogbox
On Sunday, March 29, 2015 10:26:53 AM Anne Wilson wrote: Personally I prefer my password to be reference to a book - and you haven't a snowball in hell's chance of knowing which book or what reference to it :-) I doubt if even my closest family would guess the book. You might be wrong, you might be right, at most you are right for the situation you live in. Part of the discussion happening here is about general principles that cover cases where the risk is assessed to be adversaries who are making trillion guesses per second. Samir signature.asc Description: This is a digitally signed message part. ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
Re: [Enigmail] Paste passphrase from clipboard into pinentry dialogbox
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 28/03/2015 19:30, Daniel Kahn Gillmor wrote: I suppose the underlying question is whether you think the user's OpenPGP passphrase is one of these strong passphrases that they should be able to remember, or whether you think it should be delegated to the mechanized password store I don't believe a password needs to be either insanely long or too complicated to remember. Surely it only needs to be something impossible to crack in a dictionary attack, yet based on something memorable to you but unknown to others. Personally I prefer my password to be reference to a book - and you haven't a snowball in hell's chance of knowing which book or what reference to it :-) I doubt if even my closest family would guess the book. Anne -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlUXxVkACgkQj93fyh4cnBdXzwCgi/b7eIu4OE22lVRe3CbYcP0Q H5UAniUwc7nMGFFB6SwY/i3PxhZkhARW =252z -END PGP SIGNATURE- ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
Re: [Enigmail] Paste passphrase from clipboard into pinentry dialogbox
On 3/29/15 2:32 AM, Samir Nassar wrote: On Sunday, March 29, 2015 10:26:53 AM Anne Wilson wrote: Personally I prefer my password to be reference to a book - and you haven't a snowball in hell's chance of knowing which book or what reference to it :-) I doubt if even my closest family would guess the book. You might be wrong, you might be right, at most you are right for the situation you live in. Part of the discussion happening here is about general principles that cover cases where the risk is assessed to be adversaries who are making trillion guesses per second. Um, no, it really isn't. :) The two components of your sentence general principles, and adversaries ... don't go together, at all. Yes, there are some people who use PGP for serious, even potentially life-threatening purposes. Those people need really strong pass phrases, and perhaps even ones that are so long that they cannot be remembered, or typed easily. But the vast majority of PGP users are doing it because it's fun, and have no need for that kind of drama. Is it nice to encourage good operational practices for pass phrases for the general type of user? Of course it is, and we should do that. But pretending that super-long, untypable pass phrases apply to anyone except an extreme few is just silliness. But worse than it being ridiculous on its face, by pretending that these kinds of practices are, or should be commonplace it makes it harder for people how would like to learn about encryption to do so. Doug -- I am conducting an experiment in the efficacy of PGP/MIME signatures. This message should be signed. If it is not, or the signature does not validate, please let me know how you received this message (direct, or to a list) and the mail software you use. Thanks! signature.asc Description: OpenPGP digital signature ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
Re: [Enigmail] Paste passphrase from clipboard into pinentry dialogbox
On 3/28/15 11:57 AM, Daniel Kahn Gillmor wrote: If the only concern is leaving sensitive data in the clipboard after use, maybe pinentry could*accept* pastes, but then also clear the clipboard after it was pasted into? First, this discussion is moot because Werner won't change this. Second, what you're describing isn't safe. Malware that watches the clipboard will still pick up what's pasted onto it, even if it gets cleared immediately after. Finally, someone else already posted the right answer, a tool like Keepass can auto-type the password, bypassing the clipboard. It's also thought to be safe against key loggers, although there is some dispute on that topic. I think that a case can be made for a better plan to be using a password that you can remember, and type. I would also argue that for most people there is no threat model that justifies a password so long that you can't remember or type it. :) Doug -- I am conducting an experiment in the efficacy of PGP/MIME signatures. This message should be signed. If it is not, or the signature does not validate, please let me know how you received this message (direct, or to a list) and the mail software you use. Thanks! signature.asc Description: OpenPGP digital signature ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
Re: [Enigmail] Paste passphrase from clipboard into pinentry dialogbox
[redirecting to gnupg-devel, setting mail-followup-to: there] On Wed 2015-03-25 18:26:38 -0400, Robert J. Hansen wrote: My guess is that this is for added security. Correct. Werner Koch has said several times that he will not change the code to permit CP into the dialog box, as that would leave sensitive data in your clipboard -- and the clipboard, by definition, can be read by any application, including malware. If the only concern is leaving sensitive data in the clipboard after use, maybe pinentry could *accept* pastes, but then also clear the clipboard after it was pasted into? I understand that this still encourages people to put their passphrases into the clipboard, but that seems to be happening anyway. What if, upon accepting a paste, pinentry was to expand the dialog a bit and show a warning that says something like: Pasted! Your clipboard has also been emptied, so that your passphrase isn't exposed to other applications. GnuPG recommends never copying your passphrase to the clipboard. --dkg ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
Re: [Enigmail] Paste passphrase from clipboard into pinentry dialogbox
On 3/28/15 12:30 PM, Daniel Kahn Gillmor wrote: [so much for following up on gpg-devel; i'm replying to enigmail because that's where this message went, even though i don't understand the reason to keep this non-enigmail discussion here] On Sat 2015-03-28 15:09:15 -0400, Doug Barton wrote: Finally, someone else already posted the right answer, a tool like Keepass can auto-type the password, bypassing the clipboard. It's also thought to be safe against key loggers, although there is some dispute on that topic. I quite like the Keepass approach. But it's not clear to me that this will work, at least for the versions of pinentry i've seen that grab the input devices (i'm seeing this on X11, at any rate). In this case, I don't think there is a way to trigger keepass to get it to type into the pinentry dialog. Keepass has a way to specify the target window. But that method only works with certain types of dialogs. I just tried it with the Mac GPG Tools pinentry and it doesn't work. Of course there is no reason that the standard pinentry front ends couldn't be adjusted as needed. What platforms as this approach been tested on? Dunno. :) I think that a case can be made for a better plan to be using a password that you can remember, and type. I would also argue that for most people there is no threat model that justifies a password so long that you can't remember or type it. :) I can sympathize with this sentiment. In general, i think users should keep a very small number of strong passphrases that they can remember and can type, and should use the main one of those passprhases to control a mechanized password store (like keepass) for all the rest of them. I suppose the underlying question is whether you think the user's OpenPGP passphrase is one of these strong passphrases that they should be able to remember, or whether you think it should be delegated to the mechanized password store. Yes, I agree with you in principle, and I do think that the secret key password is one that should be typeable. And FWIW, one of the virtues of a secure key store like Keepass is that you can keep passwords in it whether you want to auto-type them or not. So if you have a strong password for something that you don't type often, you can keep it there to prompt your memory. Doug -- I am conducting an experiment in the efficacy of PGP/MIME signatures. This message should be signed. If it is not, or the signature does not validate, please let me know how you received this message (direct, or to a list) and the mail software you use. Thanks! signature.asc Description: OpenPGP digital signature ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
Re: [Enigmail] Paste passphrase from clipboard into pinentry dialogbox
On 03/28/2015 08:30 PM, Daniel Kahn Gillmor wrote: [so much for following up on gpg-devel; i'm replying to enigmail because that's where this message went, even though i don't understand the reason to keep this non-enigmail discussion here] On Sat 2015-03-28 15:09:15 -0400, Doug Barton wrote: Finally, someone else already posted the right answer, a tool like Keepass can auto-type the password, bypassing the clipboard. It's also thought to be safe against key loggers, although there is some dispute on that topic. I quite like the Keepass approach. But it's not clear to me that this will work, at least for the versions of pinentry i've seen that grab the input devices (i'm seeing this on X11, at any rate). In this case, I don't think there is a way to trigger keepass to get it to type into the pinentry dialog. What platforms as this approach been tested on? Debian Stable, KeePass2, pinentry-gtk-2 and pinentry-qt4 both work, and are both a bit slow (it might take up to 30 seconds !!! for the pinentry dialog to be accepted, but my password is not insanely long, it's in the 20-40 chars range). I tested it with both GnuPG 1.4.x and 2.0.x In fact I use this on a daily basis combined with Enigmail. Sometimes, for reasons beyond my grasp, pinentry complains of a wrong password. When it happens, i restart keepass2 and then it works again. KeePass2 comes with tons of Mono packages and it's a bit sluggish, but I haven't found anything as reliable yet in the limited offer of Debian packaged free software password managers. If the KeePass2-pinentry process was faster, it would be perfect. By the way Daniel, thanks for your GPG best practices page and more generally for your work related to GPG, Riseup and Debian! :-) I often refer to Riseup GPG Best practices during the cryptoparties I organize in Marseille. Here is the link: https://help.riseup.net/en/security/message-security/openpgp/best-practices Jérôme -- OpenPGP / GPG key: 0x14B7E62420E51038 I encrypt emails with GPG, Thunderbird Enigmail. signature.asc Description: OpenPGP digital signature ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
Re: [Enigmail] Paste passphrase from clipboard into pinentry dialogbox
On 25.03.15 23:36, Andre Lahmann wrote: Ok, just for the record: this is an issue with pinentry - see e.g. https://bugs.launchpad.net/ubuntu/+source/pinentry/+bug/326132 https://bugs.g10code.com/gnupg/issue1374 https://bugs.g10code.com/gnupg/issue1368 It's absolutely ridiculous how usability is screwed by design and justified with security reasons... Please calm down. There is a good reason to not allow cp, see Roberts post. After all, this is nothing Enigmail can change. Ludwig signature.asc Description: OpenPGP digital signature ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
Re: [Enigmail] Paste passphrase from clipboard into pinentry dialogbox
My guess is that this is for added security. Correct. Werner Koch has said several times that he will not change the code to permit CP into the dialog box, as that would leave sensitive data in your clipboard -- and the clipboard, by definition, can be read by any application, including malware. smime.p7s Description: S/MIME Cryptographic Signature ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
Re: [Enigmail] Paste passphrase from clipboard into pinentry dialogbox
Ok, just for the record: this is an issue with pinentry - see e.g. https://bugs.launchpad.net/ubuntu/+source/pinentry/+bug/326132 https://bugs.g10code.com/gnupg/issue1374 https://bugs.g10code.com/gnupg/issue1368 It's absolutely ridiculous how usability is screwed by design and justified with security reasons... Am 25.03.2015 um 22:55 schrieb Andre Lahmann: Hmm, I just tried it with GPGv1.4 but the pinentry dialogbox still does not allow copy and pasting... doesn't seem to be a GPGvX related issue or am I getting you wrong? Best, André Am 25.03.2015 um 22:44 schrieb mich...@yanovich.net: On 03/25/2015 05:40 PM, Andre Lahmann wrote: Hello, since upgrading to Enigmail 1.8.x it's not possible anymore to paste the passphrase into the pinentry dialogbox. I'm running Xubuntu 12.04 and neither ctrl+v nor mouse buffer is working (as I am managing my passphrases with keepass I also tried autotype without success). Is this a bug or a feature?!? Best, André This is a feature of GPGv2. I originally discovered this a few versions ago of Enigmail (probably 1.7.2). It seems that for GPGv2 it requires specific applications for passphrase entry and of the ones that work with GPG none of them appear to allow copying/pasting of the passphrase, in my experience. My guess is that this is for added security. ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
Re: [Enigmail] Paste passphrase from clipboard into pinentry dialogbox
Hmm, I just tried it with GPGv1.4 but the pinentry dialogbox still does not allow copy and pasting... doesn't seem to be a GPGvX related issue or am I getting you wrong? Best, André Am 25.03.2015 um 22:44 schrieb mich...@yanovich.net: On 03/25/2015 05:40 PM, Andre Lahmann wrote: Hello, since upgrading to Enigmail 1.8.x it's not possible anymore to paste the passphrase into the pinentry dialogbox. I'm running Xubuntu 12.04 and neither ctrl+v nor mouse buffer is working (as I am managing my passphrases with keepass I also tried autotype without success). Is this a bug or a feature?!? Best, André This is a feature of GPGv2. I originally discovered this a few versions ago of Enigmail (probably 1.7.2). It seems that for GPGv2 it requires specific applications for passphrase entry and of the ones that work with GPG none of them appear to allow copying/pasting of the passphrase, in my experience. My guess is that this is for added security. ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
Re: [Enigmail] Paste passphrase from clipboard into pinentry dialogbox
On 03/25/2015 10:40 PM, Andre Lahmann wrote: Hello, since upgrading to Enigmail 1.8.x it's not possible anymore to paste the passphrase into the pinentry dialogbox. I'm running Xubuntu 12.04 and neither ctrl+v nor mouse buffer is working (as I am managing my passphrases with keepass I also tried autotype without success). Is this a bug or a feature?!? Best, André Hi! You could use keepass2 to type your password for you. In my experience it's a bit slow if you have a very long password. The trick is to increase default-cache-ttl in ~/.gnupg/gpg-agent.conf to improve usability. Change default auto-type to {Password}{ENTER}, entering the name of the target window helps (pinentry-gtk-2 or pinentry-qt4 for Debian Stable). This method is not perfect: some malware could record virtual keystrokes from keepass2. There is a Two-channel auto-type obfuscation feature supposed to increase security but it doesn't work with pinentry-gtk-2 or pinentry-qt4 AFAIK... If anybody knows how to increase speed of keepas2 -- pinentry communication or how to enable two-channel auto-type obfuscation, let me know. Enigmail 1.8.0 was terrible but 1.8.1 works very well on Debian Stable with regular Icevode version. Thanks for the good work! :-) Thanks. -- OpenPGP / GPG key: 0x14B7E62420E51038 I encrypt emails with GPG, Thunderbird Enigmail. Please do the same or use my secure contact form: https://jerome.cc/gpg signature.asc Description: OpenPGP digital signature ___ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net