Passphrase Online...

Bill Stewart stewarts at ix.netcom.com
Tue Jan 28 13:15:48 PST 1997


>>If I am connected to the Internet via a SLIP/PPP connection and I
>>type my passphrase while being online (for example, in Private
>>Idaho, after getting my mail), could that passphrase be compromised?
>>If so, how would that be done?

You're much safer if you're using an operating system instead of a
kluge like Windows...  On the other hand, operating systems make it
easier to run applications like telnet servers that allow someone
else to connect to your system while you're on line.
Some different ways you could be at risk include
- someone sends you a keystroke-sniffer program and tricks your machine
into running it - so it grabs your passphrase from PI or PGP and
sends it in later
- someone sends you a keystroke-sniffer program and tricks _you_
into running it, whether they use email, web, etc.
- someone logs into your system, guesses that the root password is
"trustno1", and modifies your copy of PGP to save keystrokes.
(On MSDOS, of course, you don't _need_ a root password.)
- someone sets up a web page with an evil ActiveX script that
convinces your Internet Explorer to download a new copy of PGP.
- someone sends you email with an attachment named 
..\..\..\windows\pgp.exe and your mail system is dumb enough to accept 
the pathname.
- somebody sends you email with an MS-Word/Excel/PPT attachment that,
instead of having a dumb Concept macro virus, has a macro that
does something useful like replace your copy of PGP, and you don't
have any innoculation on your MS-Word.
- any of the above, where the "pgp" program is replaced with one that's
almost identical but uses non-random numbers instead of good randoms,
and maybe also leaks out your secret key or passphrase.
- any of the above, where your email program is modified to add
Cc: janet at kremvax.su on outgoing smtp.

> Still paranoid?  Good!


#			Thanks;  Bill
# Bill Stewart, +1-415-442-2215 stewarts at ix.netcom.com
# You can get PGP outside the US at ftp.ox.ac.uk/pub/crypto/pgp
#     (If this is a mailing list, please Cc: me on replies.  Thanks.)








More information about the cypherpunks-legacy mailing list