Il 21/02/2015 17:54, Daniel Kahn Gillmor ha scritto: > If the malware is keeping the session keys around, it can just keep the > session keys for everything you ever decrypt, and use them anyway to > access your encrypted documents, independent of your button-presses. Or just sniff the PIN.
> You're right in the abstract: the bandwidth of the "canary button" (one > bit of LED output "secret key action requested", one bit of input "ok to > use secret key") is too limited to protect against the sophisticated > attack you describe, and increasing the bandwidth of the channel > (e.g. on-device display screen, keypad) makes the UI/UX even more > infeasibile. At some point, you just have a second computer attached to > your computer, and now there is room for that second computer to be > compromised :/ Well, at least that one would be a dedicated computer, with very limited connection to the outside world. And if the idea of a display gets implemented, at least the kind of operation can be confirmed. BYtE, Diego. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
