low-hanging fruit
David Zeuthen
davidz at redhat.com
Mon Aug 20 18:55:48 UTC 2007
Hi,
On Mon, 2007-08-20 at 14:28 -0400, Colin Walters wrote:
> On 8/20/07, David Zeuthen <davidz at redhat.com> wrote:
>
> - It's a fair goal to ensure that users don't have to enter
> any
> passwords and I think gnome-keyring and other password
> stores (like
> the one in Firefox) helps with that. Especially if it's
> automatically
> unlocked when you log in.
>
> For sure I agree the API-to-store-stuff aspect of the keyring is good,
> because in theory it lets you share stuff between applications. In
> practice that seems to have mostly failed. Pidgin and Firefox do
> their own thing, and almost everything I see that actually uses
> gnome-keyring uses the GENERIC_SECRET instead of NETWORK_PASSWORD so
> you can't easily reuse logins between apps...at least not without
> getting stormed by "Allow or Deny?".
I think one point here is that only Evolution can read my IMAP password;
only pidgin can read my instant messenger passwords and so forth. The
whole "Allow or Deny?" thing, I think, is a bit misguided and just opens
up another avenue of attacks. Shrug.
> FWIW, I consider it a bug that the password store in e.g.
> Firefox
> isn't locked the same way we lock gnome-keyring; I know the
> option
> in Firefox is there but we just uncheck it by default so
> you get
> plaintext passwords.
>
> Well they're not directly plaintext on disk (I actually looked at this
> as part of killing-login-dialogs thing); but yeah the key used to
> decrypt them is right there so it ends up being more a CVS-style rot13
> obfuscation (which is a good idea).
Yeah, as I said; they're stored in plaintext :-)
> Right; this is the real solution to the stolen-laptop problem and I'm
> all for it!
Except that it doesn't address one serious problem...
> Right =) The guiding principle here being: If someone has
> physical access to your computer and hostile intent, you've
> already lost.
(Sure, and with physical access why even bother with installing
*software* when you can easily attach a cheap wireless camera pointing
at the keyboard or a hardware keylogger attached the USB or PS2 keyboard
cable.)
> Not that it's impossible to defend against but...it gets increasingly
> baroque and the important thing to secure is the web browser.
The serious problem here is that with the way people use the Internet
there will always be plenty of attack vectors; you mention the web
browser, there's a bunch of other well known vectors
- PDF viewers
- Image viewers
- AV Codecs
- IM clients
- VM's like Flash, Silverlight/Moonlight, Java
- Random apps downloaded off the Internet
Note that there will be *more* of these every singe day simply because
people use the Internet in more interesting ways. And then there's all
the social engineering attacks.
So, like it or not, we simply need to engineer the security of the
operating system such that untrusted code running in your desktop
session can do as little harm as possible. This includes making sure
that such harmful software
- Can't elevate itself; either through code exploits
- ... or by bringing up auth / acknowledge dialogs that look
like system auth dialogs
- Can't spy on you (event snooping) / do things on your behalf
- Can't access secrets; e.g. it's a non-starter to have your Firefox
password database accessible to any app running with your uid. It's
just not enough to obfuscate it. Ditto for your mail client / IM
client and so forth.
It's quite a challenge, I think, how to do this properly in a world
where we increasingly want applications to feel integrated. Either that,
or we say "we've lost" if untrusted code is running in your session.
David
More information about the Fedora-desktop-list
mailing list