Comment by upofadown
1 day ago
From the linked page:
> Notably, pass fails both of these requirements, ... , and the files themselves do not use authenticated encryption.
With pass you can turn authentication on by setting an option to sign the files by default. That comes at the cost of requiring an extra entry of the passphrase so most do not turn this on. Few people are concerned with the idea that an attacker might modify their passwords so they don't work. There is no real benefit to an attacker. They could just delete the files.
Even if signatures are not turned on the regular PGP integrity protection would still be in effect so in the unlikely event that an attacker changed the file an error would be generated and presumably passed on to the user.
This article goes into some of the deficiencies of using GPG with pass. In particular, GPG uses asymmetric keys, so someone could encrypt a new password file with your public key and you wouldn't know.
https://rot256.dev/post/pass/
Yes, that is specifically what enabling signatures prevents. You would know when the stored password stopped working and the content of the rest of the file changed.
That article is fairly rough. For one thing it references "The PGP Problem":
* https://articles.59.ca/doku.php?id=pgpfan:tpp
For another thing it references "the quantum threat against cryptography" as an actual argument against password store.
Yes signatures would prevent that, but as you noted it isn't enabled by default so most people don't use it. Optional security features don't count in my book :)
For the rebuttal you posted, I'll respond to one thing:
> The entire rant is basically about how OpenPGP is old and therefore bad and how new things, sometimes only vaguely defined, are good. So let's address this first.
> If someone, while trying to sell you some high security mechanical system, told you that the system had remained unbreached for the last 20 years you would take that as a compelling argument. You would be unlikely to demand a newer design. Normally old designs that have stood the test of time are valued. Cryptography is based on mathematical/logical principles. Such principles don't age out on any sort of a schedule and are valued in some cases for thousands of years.
The "unbreached for the last 20 years" conclusion about mechanical security systems does not immediately apply to mathematical ones, and we can indeed see that it is empirically incorrect. The cryptographic world is littered with the corpses of cryptographic algorithms that were secure for decades and are now broken (MD5, SHA1, DES, small RSA keys, TLS 1.0), and their C implementations that had horrible vulnerabilities (HeartBleed, etc). Mathematical proofs will not help us here either, since e.g. there is no proof that GPG is IND-CCA. (Which is unlike new systems, which do have proofs!) GPG had its day, and now it should be retired.
Also, the quantum threat is a reasonable one in the "store now, decrypt later" model. A lot of people presumably use git to store their password store online and would be vulnerable to this. The passwords in the files would probably not be important anymore once quantum computers are created, but any other long term data or other personal information that people store in there could be decrypted.
Well yes but this is also a feature: you can store passwords without having the private key available. That can be handy.
I don't really see the value in an attacker being able to store new passwords anyway. Besides, in order to do that they'd already have to have breached my private git server too.