[cryptography] can the German government read PGP and ssh traffic?

Peter Gutmann pgut001 at cs.auckland.ac.nz
Tue Jun 5 08:11:06 EDT 2012

Thierry Moreau <thierry.moreau at connotech.com> writes:

>Unless automated SSH sessions are needed (which is a different problem
>space), the SSH session is directly controlled by a user. Then, the private
>key is stored encrypted on long term storage (swap space vulnerability
>remaining, admittedly) and in *plaintext*form*only*momentarily* for SSH
>handshake computations following a decryption password entered by the user. 

...except that a user study a few years back ("Inocilating SSH Against Address
Harvesting") found that two thirds of all SSH private keys were stored in
plaintext on disk.  You need to look at what actually happens in practice, not
what in theory should happen in an ideal world.

In any case though you're completely missing the point of my argument (as did
the previous poster), which is that a scary number of people follow the
thinking that "passwords are insecure, PKCs are secure, therefore anything
that uses PKCs is magically made secure" even when it's quite obviously not
secure at all.  This is magical thinking, not any kind of reasoned assessment
of security.


More information about the cryptography mailing list