GPG: Deprecated hash + local "game over" exploit
Shawn K. Quinn
skquinn at rushpost.com
Sat Jul 1 16:30:22 PDT 2017
On 07/01/2017 03:17 PM, Steve Kinney wrote:
> Last time I checked, this bug was dismissed by Debian as a non-issue,
> saying that exploiting it would require physical access to the machine
> and "physical access is game over." That's an excuse to leave the bug
> in place, not a reason. I am sure present company can provide several
> examples of cases where the presence of gnupg-agent in its present
> broken condition "is game over" for the user.
Are you sure you didn't accidentally save your passphrase to your GNOME
password manager (seahorse)? I thought I had the same problem where
passphrases were being cached far longer than they should be, until I
found this "helpful" remembering of my passphrase (which I have since
fixed).
I'm going to do some further testing; I have explicitly added the
supposed default TTL values to gpg-agent.conf and I will see if I still
have issues.
--
Shawn K. Quinn <skquinn at rushpost.com>
http://www.rantroulette.com
http://www.skqrecordquest.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cpunks.org/pipermail/cypherpunks/attachments/20170701/e744afc8/attachment.sig>
More information about the cypherpunks
mailing list