emacs-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security flaw in pgg-gpg-process-region?

From: Daiki Ueno
Subject: Re: Security flaw in pgg-gpg-process-region?
Date: Tue, 05 Sep 2006 20:57:26 +0900 
>>>>> In <address@hidden> 
>>>>>   Richard Stallman <address@hidden> wrote:
>     When decrypting PGP messages PGG will send your passphrase along
>     with data, so if Emacs process is killed and [someone else has]
>     stolen your note PC, your passphrase can also be stolen from the
>     temp file.

> Since it is not likely for Emacs to be killed just while it is running
> GPG, I think that very few users have such temp files lying around.
> So the thief would need to be very lucky (as well as knowing about
> such things) in order get anyone's pass phrase.

I don't think so.  The rationale is, (1) decrypting large data takes
some time, (2) the user tends to interrupt Emacs from the terminal, and
(3) every file PGG writes out are in the same format

"address@hidden@se
-----BEGIN PGP MESSAGE-----
...
-----END PGP MESSAGE-----"

I think every security problem looks not feasible, at a glance.

Regards,
-- 
Daiki Ueno
reply via email to
[Prev in Thread] Current Thread [Next in Thread]