[Gpg4win-users-en] Copy-paste deactivated in Gpg4win 2.2.2
PrivacyDefence
webmaster at privacydefence.org
Sun Sep 28 17:55:12 CEST 2014
Hi Andre
Thank you for your response. I really appreciate that you have taken the
time to comment on my email.
Quote: "Which pinentry program are you using?"
We provide point-and-click tutorials for encryption software such as
Gpg4win. In our testing we install the latest version of Mozilla
Thunderbird and then the corresponding version of Enigmail. Enigmail
then handles the installation of Gpg4win. The user will then have
whatever version of pinentry-qt4 is installed by default.
It's interesting that apparently there is a fix for the lacking ability
to copy and paste the password, thank you for mentioning that. We try
however to make our tutorials as simple to follow as possible, so these
tweaks would make a long tutorial even longer.
Quote: "If you just copy / paste it you defeat that and make it extremly
easy for other programs to grab the passphrase. .
E.g. if your clipboard contents are swapped to disk or if you hibernate
it will even be stored on the disk."
These are valid points, although only relevant if the computer should be
compromised. They are also the reason why you should encrypt your
harddisk and secure the computer against hacking. Having done that,
copying and pasting on your own computer should be the least of your
worries.
Also, if your computer is already compromised, the primary accident is
already done. Making it a bit more difficult for other programs to grab
your copied passwords will only give you a very minimal increase in
security. In fact, many would argue that the whole concept of securing a
computer that is already compromised is somewhat problematic.
I guess one could even come up with some specific threat landscapes
where copy and paste would be safer than typing the password manually.
Think "hardware keyloggers"...
Quote: "... We have enabled copy&paste for pinentry-qt some time last
year. So it should work."
This requires the tweaks you have mentioned, right? Because it does not
work when installing Gpg4win in the straightforward fashion that I
described above.
I do get the point about choosing sensible defaults for the users, and I
can only wish the whole industry will some day understand the importance
of that. Most users go with the default, period. So thank you for trying
to choose the right defaults in your software. But how about the point I
made, that when password managers can no longer be used, people are
forced to choose passwords that are weak enough that they can remember
them and type they in manually. Won't you agree that this weakens the
protection provided by the password?
---
Kind regards
Anders
www.PrivacyDefence.org
Public key:
www.privacydefence.org/?page_id=69
On 22-09-2014 10:38, Andre Heinecke wrote:
> Hi,
>
> On Wednesday, September 17, 2014 04:27:23 PM PrivacyDefence wrote:
>> Hi all
>> Apparently copy-paste has been disabled in the latest version of
>> Gpg4win. We have asked Enigmail about this and they believe it is an
>> issue with Gpg4win.
>
> Which pinentry program are you using? Copy and Paste is only enabled in
> pinentry-qt4 (you can rename pinentry-qt4.exe in your installation folder to
> pinentry.exe to make sure it is used if you have not configured it in your gpg-
> agent.conf otherwise)
>>
>> Our post:
>> https://lists.enigmail.net/pipermail/enigmail-users_enigmail.net/2014-Septem
>> ber/002055.html
>>
>> Their reply:
>> https://lists.enigmail.net/pipermail/enigmail-users_enigmail.net/2014-Septem
>> ber/002056.html
>>
>> So is this a bug that will be fixed, or something done deliberately?
>
> Kind of. As said above, pasting the passphrase is enabled in pinentry-qt4. The
> problem is that internally we jump through some hoops to ensure that the
> passphrase is stored in secure memory. If you just copy / paste it you defeat
> that and make it extremly easy for other programs to grab the passphrase. .
> E.g. if your clipboard contents are swapped to disk or if you hibernate it
> will even be stored on the disk.
>
> So we advise against copy&pasting your passphrase.
>
>> I am hoping for an open debate about this, as I believe it lowers
>> security while also causing frustration for the users.
>>
>> Please let me hear your thoughts.
>
> As I have written above due to many requests to have the possibility to do
> this. (And ultimately we can only set sane defaults / recommend stuff) We have
> enabled copy&paste for pinentry-qt some time last year.
>
> So it should work.
>
> Best Regards,
> Andre
>
More information about the Gpg4win-users-en
mailing list