[Gpg4win-users-en] Copy-paste deactivated in Gpg4win 2.2.2

David Kronlid david at kronlid.net
Sun Sep 28 19:04:40 CEST 2014


Sorry, replace the name Andre with Anders. I mixed the two up in my reply.

/David
Den 28 sep 2014 19:02 skrev "David Kronlid" <david at kronlid.net>:

> Remembering hundreds of passwords is to hard for me, so I use KeePass. I
> use KeePass 2 and have encountered a similar problem but not the same.
> KeePass's automatic entering of the password doesn't work with GPG4Win, and
> GPG's pinentry is the only software that I have ever encountered that
> blocks the automatic entry of passwords for some reason.
>
> However if I instead copy and paste to and from the clipboard it works. =
> Ctrl+c Ctrl+v works. But this method of transferring the password is less
> secure according to the KeePass website/help.
>
> I agree with Andre that there is a possibility to improve GPG4Win here,
> and that securing a compromised computer doesn't make too much sense and
> that an encrypted hard drive removes the problem with passwords getting
> saved in swap files. Of course it's good to stop an attacker every possible
> way we can, but not if it means that the passwords get too weak. However I
> also would like to know what password manager Andre uses, as copy and paste
> to and from the clipboard actually works for gpg4win. Are you using KeePass
> or another software? Is this software really using the clipboard (in a
> normal way)? I suspect that it doesn't use the clipboard in a normal way as
> that should work fine.
>
> On Linux it's different as KeePass 2 there only uses the clipboard instead
> of the other two offered methods that the KeePass creator claim to be more
> secure on Windows, and the normal clipboard usage works with the GPG
> pinentry on both Linux and Windows.
>
> /David
> Den 28 sep 2014 17:55 skrev "PrivacyDefence" <webmaster at privacydefence.org
> >:
>
>> Hi Andre
>> Thank you for your response. I really appreciate that you have taken the
>> time to comment on my email.
>>
>> Quote: "Which pinentry program are you using?"
>>
>> We provide point-and-click tutorials for encryption software such as
>> Gpg4win. In our testing we install the latest version of Mozilla
>> Thunderbird and then the corresponding version of Enigmail. Enigmail
>> then handles the installation of Gpg4win. The user will then have
>> whatever version of pinentry-qt4 is installed by default.
>> It's interesting that apparently there is a fix for the lacking ability
>> to copy and paste the password, thank you for mentioning that. We try
>> however to make our tutorials as simple to follow as possible, so these
>> tweaks would make a long tutorial even longer.
>>
>> Quote: "If you just copy / paste it you defeat that and make it extremly
>> easy for other programs to grab the passphrase. .
>> E.g. if your clipboard contents are swapped to disk or if you hibernate
>> it will even be stored on the disk."
>>
>> These are valid points, although only relevant if the computer should be
>> compromised. They are also the reason why you should encrypt your
>> harddisk and secure the computer against hacking. Having done that,
>> copying and pasting on your own computer should be the least of your
>> worries.
>> Also, if your computer is already compromised, the primary accident is
>> already done. Making it a bit more difficult for other programs to grab
>> your copied passwords will only give you a very minimal increase in
>> security. In fact, many would argue that the whole concept of securing a
>> computer that is already compromised is somewhat problematic.
>> I guess one could even come up with some specific threat landscapes
>> where copy and paste would be safer than typing the password manually.
>> Think "hardware keyloggers"...
>>
>> Quote: "... We have enabled copy&paste for pinentry-qt some time last
>> year. So it should work."
>>
>> This requires the tweaks you have mentioned, right? Because it does not
>> work when installing Gpg4win in the straightforward fashion that I
>> described above.
>>
>> I do get the point about choosing sensible defaults for the users, and I
>> can only wish the whole industry will some day understand the importance
>> of that. Most users go with the default, period. So thank you for trying
>> to choose the right defaults in your software. But how about the point I
>> made, that when password managers can no longer be used, people are
>> forced to choose passwords that are weak enough that they can remember
>> them and type they in manually. Won't you agree that this weakens the
>> protection provided by the password?
>>
>> ---
>> Kind regards
>> Anders
>> www.PrivacyDefence.org
>>
>> Public key:
>> www.privacydefence.org/?page_id=69
>>
>>
>>
>>
>> On 22-09-2014 10:38, Andre Heinecke wrote:
>> > Hi,
>> >
>> > On Wednesday, September 17, 2014 04:27:23 PM PrivacyDefence wrote:
>> >> Hi all
>> >> Apparently copy-paste has been disabled in the latest version of
>> >> Gpg4win. We have asked Enigmail about this and they believe it is an
>> >> issue with Gpg4win.
>> >
>> > Which pinentry program are you using?  Copy and Paste is only enabled in
>> > pinentry-qt4 (you can rename pinentry-qt4.exe in your installation
>> folder to
>> > pinentry.exe to make sure it is used if you have not configured it in
>> your gpg-
>> > agent.conf otherwise)
>> >>
>> >> Our post:
>> >>
>> https://lists.enigmail.net/pipermail/enigmail-users_enigmail.net/2014-Septem
>> >> ber/002055.html
>> >>
>> >> Their reply:
>> >>
>> https://lists.enigmail.net/pipermail/enigmail-users_enigmail.net/2014-Septem
>> >> ber/002056.html
>> >>
>> >> So is this a bug that will be fixed, or something done deliberately?
>> >
>> > Kind of. As said above, pasting the passphrase is enabled in
>> pinentry-qt4. The
>> > problem is that internally we jump through some hoops to ensure that the
>> > passphrase is stored in secure memory. If you just copy / paste it you
>> defeat
>> > that and make it extremly easy for other programs to grab the
>> passphrase. .
>> > E.g. if your clipboard contents are swapped to disk or if you hibernate
>> it
>> > will even be stored on the disk.
>> >
>> > So we advise against copy&pasting your passphrase.
>> >
>> >> I am hoping for an open debate about this, as I believe it lowers
>> >> security while also causing frustration for the users.
>> >>
>> >> Please let me hear your thoughts.
>> >
>> > As I have written above due to many requests to have the possibility to
>> do
>> > this. (And ultimately we can only set sane defaults / recommend stuff)
>> We have
>> > enabled copy&paste for pinentry-qt some time last year.
>> >
>> > So it should work.
>> >
>> > Best Regards,
>> > Andre
>> >
>> _______________________________________________
>> Gpg4win-users-en mailing list
>> Gpg4win-users-en at wald.intevation.org
>>
>> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/gpg4win-users-en
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wald.intevation.org/pipermail/gpg4win-users-en/attachments/20140928/9b4b55b6/attachment.html>


More information about the Gpg4win-users-en mailing list