[4126] in cryptography@c2.net mail archive
Re: PGP compromised on Windows 9x?
daemon@ATHENA.MIT.EDU (Harald Hanche-Olsen)
Thu Feb 4 13:01:43 1999
To: cryptography@c2.net
In-Reply-To: Your message of "Thu, 04 Feb 1999 09:35:49 -0800"
<8525670E.005A223E.00@mailer.zd.com>
Date: Thu, 04 Feb 1999 18:50:01 +0100
From: Harald Hanche-Olsen <hanche@math.ntnu.no>
As is pointed out in the referenced article, this macro virus only
steals the (encrypted) private keyring, and hence private keys are
still safe unless the attacker can break the encryption. Which he can
easily do with a dictionary search, if the user has been overly
simplistic in her choice of pass phrase.
But this vividly demonstrates a key point well known to anybody with
the most casual interest in computer security: Your private key is no
more secure than the platform on which you use it. The virus could
just as easily have installed trojan code in PGP itself, to upload
decrypted private keys when the opportunity arrives.
(Who was it who said that using strong cryptography on the Internet
was like using an armoured truck to transport stuff from a guy living
in a cardboard box to someone living on a park bench?)
- Harald
