On Mon, 2008-10-27 at 12:00 -0400, Robert J. Hansen wrote: > > May we assume that this kind of pop-up cannot be imitated by a > > hacker that wants us to type our passphrase in his box? > > Of course not. If your box gets pwned, the person who pwns it can do > whatever they want to it. >
I think what the original poster is asking is: Provided that a flaw in my client software is not being exploited, is it possible that this dialog box is not authentic? For example, it's no secret that web pages can pop up alert boxes (a capability that someone visiting from the past might think is the exclusive domain of client-side applications). So trusting anything that appears in an alert box would be foolish. > If your box is compromised, you're in a game over state. This is true. However, nobody takes the effort to sift through every byte of machine code on their computer before decrypting a file. It's also beyond nearly everyone to compile their own software, let alone audit gnupg, gpgme, and their email client of choice for bugs that could possibly be used to obtain private keys and passphrases. So the only thing a user can do in this case is to put a little effort into developing a sense of which dialog boxes might or might not be authentic based on how they look. This defeats some attacks. To answer the original poster's question: You are right to be concerned that the dialog box you are seeing might not be authentic, and kudos for being so security-conscious. You are doing better than 99% of the people out there. If you google "dialog spoofing", you can find out more about this problem. Cheers, Eric
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users