Re: Security vulnerability or design fault in Seahorse

[Adam Schreiber <sadam gnome org>]

Aside: Taking this back on the list as I must have hit reply instead
of reply all.  The interim emails are below for those playing along at
home.

On Wed, Oct 28, 2009 at 6:43 PM, Benjamin Humphrey <humphreybc gmail com> wrote:
> Okay, i'll do my best to try and summarize:
> Basically, users are worried that passwords for empathy, wireless networks
> and other programs that use Seahorse to store passwords can be seen in clear
> text from less than four clicks of the mouse button from a desktop.

Technically, the passwords and secrets are stored in gnome-keyring,
seahorse is just a manager/viewer.

> The argument for changing it is to change the location of
> Passwords/Encryption to Preferences, remove the checkbox to show passwords
> in clear text (after all, you should know your own passwords) or prompt for
> you to enter in your user password to view them in clear text.

I think we've addressed prompting for the password before making it
visible before but there's no really good way to "prompt" and check
before displaying it.  We have to work within the gnome-keyring API.

> Also many
> people say that even Windows does not show MSN passwords in plain text from
> the main menu.
> The argument for leaving it how it is, is that people should learn to lock
> their computers when leaving them for more than 30 seconds, and if they
> don't, they've got more to worry about than people seeing their passwords
> (ie, rm -rf commands, rootkit installers etc).
> The debate continues with people saying 90% of people using your computer
> won't know how to install rootkits or run rm -rf commands, but with a bit of
> thoughtless rummaging, quite easily access your passwords. As one person
> points out, most criminals are stupid, so therefore an easy option to show
> passwords would be more relevant to them.

I think our current approach is consistent with the security model I
linked previously.  We don't want to give anyone the false impression
that their data is more secure than it is.  Lock your screen and the
key ring's locked, unlock your screen and it's unlocked.  If your
screen is unlocked, they can just copy your keyring file and crack it
at their leisure anyway.  You have a secure user password right?

> There are other arguments put forward by people, such as it is the users
> responsibility to make sure untrusty worthy people don't have physical
> access to your computer. The counter of that is that people such as
> co-workers, your family, teenagers that you trust to access your computer
> might stumble across your passwords easily. Teenagers could buy things using
> credit card details, co-workers and friends could use this information
> against you in the future if there was ever a fall out.
> Among all this, there are a lot of posts debating analogies, with a car
> being used as the main analogy. If someone has access to your car door key,
> then the game is over - this key also starts the car. This equals one level
> of security, which is advised against in the security world. I haven't read
> the analogy posts in detail, but as you can imagine, there are arguments
> against this idea too.

It all comes down to an opinion about consistency and trade-offs
between usability and security.  I agree with Stef on this one.  These
are not new concerns and that's why we've discussed it in the past and
posted an explanation as to our thought process.  I'd like to remind
everyone that the problem of password's in the open is not specific to
seahorse.  All someone with access to your user session and the
ability to run a program would need to do is load a program and give
it permission to query each secret on the keyring.  Without the
architecture of gnome-keyring changing there's not much to do on this
front and as the security philosophy indicates, some things in Linux
and the desktop in general would have to change for that to happen.

Cheers,

Adam

> Cheers,
> Benjamin
> On Thu, Oct 29, 2009 at 11:32 AM, Adam Schreiber <sadam gnome org> wrote:
>>
>> On Wed, Oct 28, 2009 at 6:20 PM, Benjamin Humphrey <humphreybc gmail com>
>> wrote:
>> > I would hope that you take into consideration the opinions of the Ubuntu
>> > users. That's the over-ruling philosophy of Ubuntu, and if the users
>> > have
>> > something to say, the developers should listen.
>> > If you do not have the time, then please pass this on to someone who
>> > does.
>>
>> If you would care to summarize the thread and/or file a bug report
>> and/or ask a question, I'd appreciate it.  That's a really long thread
>> at 14 pages.  I care, but I don't want to have to respond to each
>> point separately.  Also, please note, we're GNOME developers not
>> Ubuntu developers and while we try to be responsive to users and
>> reasonable to requests please remember that we're mainly volunteers
>> and haven't signed on to an "over-ruling philosophy of Ubuntu."
>>
>> Cheers,
>>
>> Adam
>>
>> > On Wed, Oct 28, 2009 at 11:52 AM, Adam Schreiber <sadam gnome org>
>> > wrote:
>> >>
>> >> On Tue, Oct 27, 2009 at 9:08 AM, Benjamin Humphrey
>> >> <humphreybc gmail com>
>> >> wrote:
>> >> > Have a look at this
>> >> > thread: http://ubuntuforums.org/showthread.php?p=8174360
>> >>
>> >> I'm not going to read that entire thread, but I guess the gist is
>> >> someone's asking if providing access to the keyring without prompting
>> >> for the password.  Here's the official response regarding the
>> >> gnome-keyring security philosophy:
>> >> http://live.gnome.org/GnomeKeyring/SecurityPhilosophy
>> >>
>> >> In short: lock your screen if you walk away and use the guest session
>> >> if someone asks to use your computer.
>> >>
>> >> Cheers,
>> >>
>> >> Adam
>> >
>> >
>> >
>> > --
>> > Cheers,
>> > Benjamin
>> >
>
>
>
> --
> Cheers,
> Benjamin
>