On Mon, 2007-08-20 at 14:28 -0400, Colin Walters wrote:
On 8/20/07, David Zeuthen <davidz(a)redhat.com> wrote:
- It's a fair goal to ensure that users don't have to enter
passwords and I think gnome-keyring and other password
the one in Firefox) helps with that. Especially if it's
unlocked when you log in.
For sure I agree the API-to-store-stuff aspect of the keyring is good,
because in theory it lets you share stuff between applications. In
practice that seems to have mostly failed. Pidgin and Firefox do
their own thing, and almost everything I see that actually uses
gnome-keyring uses the GENERIC_SECRET instead of NETWORK_PASSWORD so
you can't easily reuse logins between apps...at least not without
getting stormed by "Allow or Deny?".
I think one point here is that only Evolution can read my IMAP password;
only pidgin can read my instant messenger passwords and so forth. The
whole "Allow or Deny?" thing, I think, is a bit misguided and just opens
up another avenue of attacks. Shrug.
FWIW, I consider it a bug that the password store in e.g.
isn't locked the same way we lock gnome-keyring; I know the
in Firefox is there but we just uncheck it by default so
Well they're not directly plaintext on disk (I actually looked at this
as part of killing-login-dialogs thing); but yeah the key used to
decrypt them is right there so it ends up being more a CVS-style rot13
obfuscation (which is a good idea).
Yeah, as I said; they're stored in plaintext :-)
Right; this is the real solution to the stolen-laptop problem and
all for it!
Except that it doesn't address one serious problem...
Right =) The guiding principle here being: If someone has
physical access to your computer and hostile intent, you've
(Sure, and with physical access why even bother with installing
*software* when you can easily attach a cheap wireless camera pointing
at the keyboard or a hardware keylogger attached the USB or PS2 keyboard
Not that it's impossible to defend against but...it gets
baroque and the important thing to secure is the web browser.
The serious problem here is that with the way people use the Internet
there will always be plenty of attack vectors; you mention the web
browser, there's a bunch of other well known vectors
- PDF viewers
- Image viewers
- AV Codecs
- IM clients
- VM's like Flash, Silverlight/Moonlight, Java
- Random apps downloaded off the Internet
Note that there will be *more* of these every singe day simply because
people use the Internet in more interesting ways. And then there's all
the social engineering attacks.
So, like it or not, we simply need to engineer the security of the
operating system such that untrusted code running in your desktop
session can do as little harm as possible. This includes making sure
that such harmful software
- Can't elevate itself; either through code exploits
- ... or by bringing up auth / acknowledge dialogs that look
like system auth dialogs
- Can't spy on you (event snooping) / do things on your behalf
- Can't access secrets; e.g. it's a non-starter to have your Firefox
password database accessible to any app running with your uid. It's
just not enough to obfuscate it. Ditto for your mail client / IM
client and so forth.
It's quite a challenge, I think, how to do this properly in a world
where we increasingly want applications to feel integrated. Either that,
or we say "we've lost" if untrusted code is running in your session.