On 10/12/2010 02:26 AM, Werner Koch wrote: > On Tue, 12 Oct 2010 04:44, d...@fifthhorseman.net said: > >> (e.g. one process can send a simulated mouseclick to another process >> pretty easily) but that doesn't mean no one is running with a > > The standard pinentry grabs mouse and keyboard and thus we should be > protected against this kind of attack.
I think that grabbing mouse and kbd prevents other tools from *reading*
the kbd and mouse events. It doesn't prevent synthesized events from
triggering those inputs (e.g. clicking "OK" on a button).
As a simple example, try:
sleep 3 && xdotool key Return & echo GETPIN xxx | pinentry
The backgrounded process hits the enter key on a foregrounded (grabbed)
pinentry-gtk.
So while it's useful to protect passphrase entry from other snooping X11
applications, i don't think that the kbd/mouse grab approach is
sufficient protection for a simple confirmation prompt dialog box.
I'd be happy to be corrected on this if i'm wrong, of course.
Regards,
--dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
