[Gpg4win-users-en] Initial install questions or how many red flags will we raise?

[Werner Koch]

On Thu, 28 Jun 2012 21:45, website.reader3 at gmail.com said:

> 1. Upon invoking Kleopatra, the following tasks and subtasks were initiated:

as well as a couple of other processes.  All these processes, whether
they stay or are short lived, make up the Gpg4win system.

> There was a determined attempt to connect to the internet by the
> dbus-daemon.exe and gpgsm.exe tasks, so much so that they froze the

It might look like this, bit it is not a connection to a remote machine
but connections to the local machine itself (localhost, 127.0.0.1).
This is the only reliable interprocess communication mechanism on
Windows which does not allow to be used by remote boxes.  What we do is
to emulate "Unix Domain Sockets" by "TCP IPv4 sockets"; the server sites
(e.g. gpg-agent or kleopatra) are only listening for local connections.

> 3. Why is this happening, especially when we are all concerned about
> secure information? Especially CA certificates?

The Internet's CA infrastructure is highly insecure and an easy vector
to introduce all kind of malware.  The problems are known for more than
a decade but only recent events made them appear above sea level.  There
is a reason that all browser vendors are now trying to implement
workarounds for this systems (certificate pinning, Perspective, etc.)

Thus you might be better off, checking a certificate yourself and most
important check the SHA-1 checksums, we provide on the website _and in
announcement mails.  Note that the vanilla installer is pretty new and
we may have messed something up while uploading the file.

> I hope you understand now, why red flags have been raised in my mind.

I hope I could shed some light on it and made the flags turn a bit more
into the green.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.