>b's weblog

News. Journal. Whatever.

Die Hirnzellen-Dichte bleibt beim Chef des deutschen Inlandsgeheimdienstes gewohnt niedrigWenn ein Angreifer Binärcode auf Deinem Desktop ausführen kann, dann hast Du auf alle Fälle verloren – das ist weder ein Problem von Mailvelope noch Mozillas Schuld

If the attacker can run binary code on your desktop, you're lost any way – this is neither a Mailvelope problem nor Mozilla's fault

TLDR: When an attacker can run arbitrary code on your desktop, he can own your secret keys. Or in case you're using a hardware key store he will not need them anyway. Losing the desktop means losing control.

In actual discussion flames are fanned by Cure53 and Posteo in Germany. Most people seem not to be aware of this very fact. Therefore have this little FAQ:

  1. Can an attacker access my secret key by running arbitrary code on my desktop?

    Yes, he can.

  2. But I've a passphrase on my key! Anyway?

    Yes, he can anyway. If you don't believe then test this little keylogger code specialized on GnuPG's passphrase windows yourself! The same can be done for all software key stores. GnuPG is not less secure than anything else.

  3. I have a hardware key store, am I safe now?

    No, you aren't. You're running your encryption software on your desktop, right? Then the attacker will manipulate this instead of trying to gain your keys – and use your passphrase (and PIN entry) for his attacks.

  4. oops – is there any way out?

    Not with your desktop. There are options to improve the situation on your desktop, though: i.e. on Windows use another WindowStation for passphrase entries and run crypto software in privileged processes, so a successful privilege elevation is needed to attack. Or try to keep the attacker being sandboxed. Good luck! If the attacker actually owns your system, you're lost.

  5. OK, and now?

    Welcome to the problem of the Secure Terminal! If you find one, then things will change – but not before. And better forget that your Smartphone could be secure…

P.S.: Yes, I fully understand that Cure53 and Posteo wanted to fingerpoint on the very fact that Firefox still has binary plugins. Just that this changes nothing to the facts mentioned in this FAQ.