[Gpg4win-users-en] Copy-paste deactivated in Gpg4win 2.2.2

PrivacyDefence webmaster at privacydefence.org
Sun Sep 28 19:41:20 CEST 2014


Hi David
Thanks for your comments. We have tested on Windows Vista, 7 and 8 with
the same result: Copy and paste does not work. This goes for Ctrl+c and
Ctrl+v as well.

We currently recommend Password Safe but I don't believe we have
actually tested it. It uses the copy-paste feature in Windows which
seems to be completely disabled, so I am convinced it will not work.
That's the problem I'd like to bring to attention.

---
Kind regards
Anders
www.PrivacyDefence.org

Public key:
www.privacydefence.org/?page_id=69




On 28-09-2014 19:02, David Kronlid wrote:
> Remembering hundreds of passwords is to hard for me, so I use KeePass. I
> use KeePass 2 and have encountered a similar problem but not the same.
> KeePass's automatic entering of the password doesn't work with GPG4Win, and
> GPG's pinentry is the only software that I have ever encountered that
> blocks the automatic entry of passwords for some reason.
> 
> However if I instead copy and paste to and from the clipboard it works. =
> Ctrl+c Ctrl+v works. But this method of transferring the password is less
> secure according to the KeePass website/help.
> 
> I agree with Andre that there is a possibility to improve GPG4Win here, and
> that securing a compromised computer doesn't make too much sense and that
> an encrypted hard drive removes the problem with passwords getting saved in
> swap files. Of course it's good to stop an attacker every possible way we
> can, but not if it means that the passwords get too weak. However I also
> would like to know what password manager Andre uses, as copy and paste to
> and from the clipboard actually works for gpg4win. Are you using KeePass or
> another software? Is this software really using the clipboard (in a normal
> way)? I suspect that it doesn't use the clipboard in a normal way as that
> should work fine.
> 
> On Linux it's different as KeePass 2 there only uses the clipboard instead
> of the other two offered methods that the KeePass creator claim to be more
> secure on Windows, and the normal clipboard usage works with the GPG
> pinentry on both Linux and Windows.
> 
> /David
> Den 28 sep 2014 17:55 skrev "PrivacyDefence" <webmaster at privacydefence.org>:
> 
>> Hi Andre
>> Thank you for your response. I really appreciate that you have taken the
>> time to comment on my email.
>>
>> Quote: "Which pinentry program are you using?"
>>
>> We provide point-and-click tutorials for encryption software such as
>> Gpg4win. In our testing we install the latest version of Mozilla
>> Thunderbird and then the corresponding version of Enigmail. Enigmail
>> then handles the installation of Gpg4win. The user will then have
>> whatever version of pinentry-qt4 is installed by default.
>> It's interesting that apparently there is a fix for the lacking ability
>> to copy and paste the password, thank you for mentioning that. We try
>> however to make our tutorials as simple to follow as possible, so these
>> tweaks would make a long tutorial even longer.
>>
>> Quote: "If you just copy / paste it you defeat that and make it extremly
>> easy for other programs to grab the passphrase. .
>> E.g. if your clipboard contents are swapped to disk or if you hibernate
>> it will even be stored on the disk."
>>
>> These are valid points, although only relevant if the computer should be
>> compromised. They are also the reason why you should encrypt your
>> harddisk and secure the computer against hacking. Having done that,
>> copying and pasting on your own computer should be the least of your
>> worries.
>> Also, if your computer is already compromised, the primary accident is
>> already done. Making it a bit more difficult for other programs to grab
>> your copied passwords will only give you a very minimal increase in
>> security. In fact, many would argue that the whole concept of securing a
>> computer that is already compromised is somewhat problematic.
>> I guess one could even come up with some specific threat landscapes
>> where copy and paste would be safer than typing the password manually.
>> Think "hardware keyloggers"...
>>
>> Quote: "... We have enabled copy&paste for pinentry-qt some time last
>> year. So it should work."
>>
>> This requires the tweaks you have mentioned, right? Because it does not
>> work when installing Gpg4win in the straightforward fashion that I
>> described above.
>>
>> I do get the point about choosing sensible defaults for the users, and I
>> can only wish the whole industry will some day understand the importance
>> of that. Most users go with the default, period. So thank you for trying
>> to choose the right defaults in your software. But how about the point I
>> made, that when password managers can no longer be used, people are
>> forced to choose passwords that are weak enough that they can remember
>> them and type they in manually. Won't you agree that this weakens the
>> protection provided by the password?
>>
>> ---
>> Kind regards
>> Anders
>> www.PrivacyDefence.org
>>
>> Public key:
>> www.privacydefence.org/?page_id=69
>>
>>
>>
>>
>> On 22-09-2014 10:38, Andre Heinecke wrote:
>>> Hi,
>>>
>>> On Wednesday, September 17, 2014 04:27:23 PM PrivacyDefence wrote:
>>>> Hi all
>>>> Apparently copy-paste has been disabled in the latest version of
>>>> Gpg4win. We have asked Enigmail about this and they believe it is an
>>>> issue with Gpg4win.
>>>
>>> Which pinentry program are you using?  Copy and Paste is only enabled in
>>> pinentry-qt4 (you can rename pinentry-qt4.exe in your installation
>> folder to
>>> pinentry.exe to make sure it is used if you have not configured it in
>> your gpg-
>>> agent.conf otherwise)
>>>>
>>>> Our post:
>>>>
>> https://lists.enigmail.net/pipermail/enigmail-users_enigmail.net/2014-Septem
>>>> ber/002055.html
>>>>
>>>> Their reply:
>>>>
>> https://lists.enigmail.net/pipermail/enigmail-users_enigmail.net/2014-Septem
>>>> ber/002056.html
>>>>
>>>> So is this a bug that will be fixed, or something done deliberately?
>>>
>>> Kind of. As said above, pasting the passphrase is enabled in
>> pinentry-qt4. The
>>> problem is that internally we jump through some hoops to ensure that the
>>> passphrase is stored in secure memory. If you just copy / paste it you
>> defeat
>>> that and make it extremly easy for other programs to grab the
>> passphrase. .
>>> E.g. if your clipboard contents are swapped to disk or if you hibernate
>> it
>>> will even be stored on the disk.
>>>
>>> So we advise against copy&pasting your passphrase.
>>>
>>>> I am hoping for an open debate about this, as I believe it lowers
>>>> security while also causing frustration for the users.
>>>>
>>>> Please let me hear your thoughts.
>>>
>>> As I have written above due to many requests to have the possibility to
>> do
>>> this. (And ultimately we can only set sane defaults / recommend stuff)
>> We have
>>> enabled copy&paste for pinentry-qt some time last year.
>>>
>>> So it should work.
>>>
>>> Best Regards,
>>> Andre
>>>
>> _______________________________________________
>> Gpg4win-users-en mailing list
>> Gpg4win-users-en at wald.intevation.org
>> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/gpg4win-users-en
>>
> 



More information about the Gpg4win-users-en mailing list