Re: gnome-keyring Passwords freely available after login



On 12/13/2010 09:59 AM, Yaron Sheffer wrote:
> Seahorse is available on many machines, and any snoop can come by and
> view the passwords. What Karl is suggesting (I believe) is that the
> Seahorse *application* should require the login (or keyring?) password
> to be entered, even though as an application, it already has access to
> the passwords.

I guess we could try that. The behavior wouldn't represent the security
of the system completely. But I guess we should find the right balance
between usability and security.Yes,

Do you have an implementation in mind? Would you be interested in
working on this idea? Implementing this isn't as trivial as it seems. In
any case, your work on this would be greatly appreciated by lots and
lots of people. Here is a relevant bug:

https://bugzilla.gnome.org/show_bug.cgi?id=627117

> I agree with Karl that this would provide real security benefit, even
> though a smarter attacker, or one who has more time, can install another
> application and access the same secrets.

Yes, and we have to remember that we'll keep getting people coming in
here irritated about the fact that "it's trivial to use this or that
command" to see their passwords.

Cheers,

Stef


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]