Re: cleaning up keyrings

["Bryan Clark" <bclark redhat com>]

On 8/28/07, David Zeuthen <david fubar dk> wrote:

On Tue, 2007-08-28 at 17:33 -0400, Havoc Pennington wrote:
>  - fix Firefox to use the keyring, or at least let apps query Firefox
> password manager storage
>  - have some mechanism for "smart deductions," like "I can guess you
> have an XMPP account that matches your google.com username/password" -
> maybe this just has to be in the apps, not sure

One important thing about the gnome-keyring prompts is that they display
information the user should be able to trust / understand. Things like
that App X is trying to use the key stored by App Y. [1]

AFAIK, to do this in a secure way, the prompts stem from a separate
process [2] and the code looks at the callers process id to determine
what application (on Linux via /proc/<pid>/exe) is making the requests
and then uses that name in prompts like these

http://people.freedesktop.org/~david/gnome-keyring-allow-deny.png
(actually this instance of the dialog, btw, looks pretty hostile to end
  users. Maybe I'm just not using gnome-keyring correctly from
  gnome-mount to save the LUKS pass phrase in the keyring. Shrug.)

The key here is that information you show in these prompts absolutely
needs to be trusted; you just cannot let the caller of the keyring API
pass in random junk; you cannot trust them.

So I wonder how this would work with Firefox. Ideally you want to
display

"The gmail.com website"
(and ideally also display some kind of icon whether the
  website in question is signed by a trusted third-party.)

instead of

"The application Firefox"

As I see it, to do this the keyring prompts would need to trust the
Firefox process to get this information or you run the risk of
displaying wrong information to the user... Sounds like a pretty hard
problem to me.

Just some thoughts / ramble. Hope it's useful.

      David

[1] : In fact I'm skeptical that most users will do more than just click
through these prompts... if we didn't care about protecting secrets on a
per-application basis we would be just as well off with encrypted
homedir and just store secrets in plaintext. And then we wouldn't need a
keyring API at all.

[2] : Which is good as it means it's possible to

1) Restrict access to the keyring database to a specific security
    context etc. that only the gnome-keyring programs run in; and

2) In the future use of XACE to paint different window decorations to
    make the dialog look more "trusted" (doubtful approach to security
    but I thought I'd mention it anyway); and

3) Show the dialogs it on a different X server (e.g. the gdm greeter)
    possibly using a Secure Attention Key (ctrl+alt+del) to get there.

I'm probably missing lots of understanding of how this system works, but I have a few questions I'd like your feedback on for initially reducing the amount of password prompting.  I'll start with this one and see where it goes before I ask more.

Can an application that stores a secret be able to retrieve that same secret without unlocking the keyring?

I never really understand why NetworkManager, the one who put certain secrets into my keyring needs to ask my permission to get those secrets back.  Sure those secrets are "my passwords", but I already gave them to NM once, why does it need to ask to get them again?  If it wasn't a good idea to give those passwords to NM the first time, it's too late because it already has them.

If Firefox, for some reason, wanted access to the secrets that NetworkManager stored I think that has cause for some alarm.  The warning for this situation is a little easier, because it's less often and probably shouldn't happen unless something is really wrong.

Even though the keyring is locked, it seems like the application that set the secret should be able to retrieve it.  I don't know how you want to make sure it's the same calling application, there might be some tricks in that.  But this would reduce the number of login / access the keyring dialogs. 

Perhaps my vision of the keyring is more of a secure little area where applications can save data that's reliable and encrypted and I have the master password to; however if an application wants to save some random secret bits in the keyring that only it will retrieve later I find it pretty harmless.  Is that a false assumption?

--

One key to having better security is to not cry wolf to our user all the time.  In reality, even without crying wolf they are going to click through whatever dialogs we bring up so we might as well work with the mindset in our designs to not bring up the dialogs at all.  They'll likely be some exceptions where we feel a dialog is necessary, however each dialog really means we've failed at being secure and passed the buck on to our users.

~ Bryan