Implementation issues, security holes

If you have PGP (for instance) installed and use it, your E-mail is probably safe after you send it, and incoming mail is safe until you get it (apart from the dangers of mail being lost, the pattern of mail analyzed and so on).

But consider the following attacks on your mail's privacy:

• An attacker wanders into your office during lunch and sees your letter on the screen while stealing your wallet
• An attacker discovers that you are using an X display with "xhost +" (open access), starts a grabber that records all your keypresses, and uses that to unlock your secret keyring
• An attacker attaches to your local network, discovers that you are using PGP on a diskless PC, and that the plaintext is swapped to the fileserver while you are decrypting it
• An attacker with access to any directory in your PATH installs a rogue PGP version that always adds the session key encrypted for an extra recipient: the attacker. (Do you have the current directory in your Path?)
• An attacker mails you a Word document that installs a macro in your templates which will send an unencrypted copy of the document to an attacker every time you invoke the "file|mail" menu in Microsoft Word
• An attacker aims a high-powered light detector through your window at the wall behind your back, and is able to reproduce the picture on your screen from the timing of the CRT emission
• An attacker discovers that exmh (an Unix mail agent) leaves the decrypted files in /tmp while you are reading them, and uses superuser privilleges to read them.
• An attacker roots through the dustbin outside the building and discovers the printout of the message that you forgot to put into the document shredder