If I am connected to the Internet via a SLIP/PPP connection and I type my passphrase while being online (for example, in Private Idaho, after getting my mail), could that passphrase be compromised? If so, how would that be done?
You're much safer if you're using an operating system instead of a kluge like Windows... On the other hand, operating systems make it easier to run applications like telnet servers that allow someone else to connect to your system while you're on line. Some different ways you could be at risk include - someone sends you a keystroke-sniffer program and tricks your machine into running it - so it grabs your passphrase from PI or PGP and sends it in later - someone sends you a keystroke-sniffer program and tricks _you_ into running it, whether they use email, web, etc. - someone logs into your system, guesses that the root password is "trustno1", and modifies your copy of PGP to save keystrokes. (On MSDOS, of course, you don't _need_ a root password.) - someone sets up a web page with an evil ActiveX script that convinces your Internet Explorer to download a new copy of PGP. - someone sends you email with an attachment named ..\..\..\windows\pgp.exe and your mail system is dumb enough to accept the pathname. - somebody sends you email with an MS-Word/Excel/PPT attachment that, instead of having a dumb Concept macro virus, has a macro that does something useful like replace your copy of PGP, and you don't have any innoculation on your MS-Word. - any of the above, where the "pgp" program is replaced with one that's almost identical but uses non-random numbers instead of good randoms, and maybe also leaks out your secret key or passphrase. - any of the above, where your email program is modified to add Cc: janet@kremvax.su on outgoing smtp.
Still paranoid? Good!
# Thanks; Bill # Bill Stewart, +1-415-442-2215 stewarts@ix.netcom.com # You can get PGP outside the US at ftp.ox.ac.uk/pub/crypto/pgp # (If this is a mailing list, please Cc: me on replies. Thanks.)