On Wed, Jun 11, 2008 at 08:11:36PM -0400, Faramir wrote: > michael graffam escribió: > > >> Or turn on typescript by default. > > > > > > Doesn't save GPG passphrases. > > Is typescrit some sort of keylogger? If it is, I don't see any reason > why a keylogger can't catch the gpg passphrase (warning: there may be a > very good reason for that, it is me the one that doesn't see it).
Typescript is sort of an output keylogger. It's mainly used to produce a "script" of a session. It's true that it doesn't record passphrases, but you can write a program that does the same thing. Note, I left out a line of code in the previous example if anyone wants to try it: openpty(&master,&slave,NULL,NULL,NULL); > So, if there is a way to increase security, I, as end user, would > welcome it. But we need to always keep in mind security is never > absolute. The only secure computer, is the one stored inside a safe. Defending against LD_PRELOAD doesn't actually make GPG safer overall. It just makes it more complex. Incidentally, there is a really easy way to "defend" against LD_PRELOAD in GPG: just make it setuid root. GPG is smart enough to see it is setuid root and drop the root privs early, and most dynamic linkers automatically disable LD_PRELOAD for setuid binaries. David _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
