[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Using PGP on Insecure Machines
> > Also importantly, the user interfaces for PGP simply suck as it
> > stands, making people like Tim uninterested in going through the
....
> At the risk of repeating myself, what's the problem with wrapping PGP in
> a shell script? Works for me - see a previous mailing, complete with
> wrapper scripts. I can send either encrypted or just signed email
> without especially noticing it.
Wrapping PGP in shell scripts is only useful for people who use shells,
and a lot of people either use GUIs instead (often non-extensible ones),
or keep their PGP on PCs at home rather than their networked Unixen at work
where they get their mail. This means that to use PGP, they need to do
things like kermit from home to work, read their mail, save it in files,
kermit the files to their PC, PGP-decrypt and read them on the PC, etc.
It's a bit easier if people have remote-scriptable terminal emulators
on their PCs, which let the Unix end run a script to save the file and
download it and maybe fire up PGP on the PC, but it still feels annoyingly
like work, and if your Unix box can download files to your PC and run them,
it can run pgp-steal-keys just about as well as real PGP.
Similarly, if you've got TCP/IP running on your PC, whether through SLIP
or directly, you've still got a security risk to worry about.
You can reduce these problems by running a _real_ operating system on your PC,
but it's tougher to run your favorite applications that way,
and you still need to either run all your mail down to the PC,
which isn't practical for lots of people, or explicitly forward
the stuff down there from your main mail system.
There's another transparency problem, at least for reading encrypted mail -
you either need to type in your passphrase each time, which is annoying and
increases exposure somewhat, or you need to leave it aorund in environment
variables, etc., which also increase exposure.
On the other hand, a shell script approach can be just fine for signature
checking, as long as your mailreader has a painless interface,
since there isn't much security risk from having PGP on a machine without
your real secret key and passphrase there. There's still some risk -
if the machine is shared with other people, someone may be able to
replace PGP with pgp-cc:-kgbvax or pgp-nsa-sig-verify - but it's a start.
Bill
# Bill Stewart AT&T Global Information Solutions, aka NCR Corp
# 6870 Koll Center Parkway, Pleasanton CA, 94566 Phone 1-510-484-6204 fax-6399
# email [email protected] [email protected]
# ViaCrypt PGP Key IDs 384/C2AFCD 1024/9D6465