> Eventually you'll enter your master password anyway. After that there's > no other layer of security. All your passwords, certificates and > PGP-keys lie about in memory. So I'm concerned about memory leaks and > code injections.
IMO, the vast majority of users worry far too much about these. Point blank: it's all over the moment the bad guy has access to your hardware. Back in 2007-8, my research group was approached by a major U.S. police department seeking assistance in an investigation. A suspect's laptop had been lawfully seized during arrest, but the suspect was refusing to provide a decryption password and the hard drive was secured with PGPDisk. Was there anything we could do? We were helped by the fact the suspect closed the laptop as the police made the arrest. This meant the suspect's RAM had been swapped to disk in a hibernation file, so that when the suspect brought the laptop out of hibernation the state of the laptop could be restored. No problem! So we know the PGPDisk's AES256 key was somewhere in a hibernation file of only about 8 gigabytes. It took us far, far longer to reverse-engineer Microsoft's proprietary compression algorithm they were using on the hibernation file than it took to actually find the AES256 key. Once we had the AES256 key it was all over. We ultimately recovered a sizable cache of child porn from his encrypted disk space, and things went downhill for him from there. *Do not* underestimate what a skilled attacker can do once he or she has access to your hardware. Once the attacker has access to your hardware the only question is how long it'll take them to get a total compromise, and the smart money is "a very short time indeed". Take the time, money, and energy you're spending on worrying about post-compromise security, and apply that instead to keeping the bad guys out in the first place. _______________________________________________ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
