undefined | Better HN

0 pointsGauntletWizard9y ago0 comments

You're very much misrepresenting the facts. Android very much encrypts data (or gives users the option to, I'm not certain if it's the default). Chrome, the desktop application, does not. Why? Because that's a false sense of security. Chrome would have to also store the encryption key, and store it in the same place and under the same access controls as the encrypted data. This is not real protection. It is up to the user to not run malicious apps under the same security context as Chrome, and to encrypt their hard drive to protect their data at rest. Nothing that chrome can do in its security context is anything more than placebo - as shown by the fact that malware (and legitimate programs!) can read the Firefox local password database.

0 comments

libertymcateer9y ago

> Why? Because that's a false sense of security. Chrome would have to also store the encryption key, and store it in the same place and under the same access controls as the encrypted data.

I hear you, but this is not the case with Safari. It offers secure local storage. It's the securesettings API. It uses the OS level encryption, and, based on the current state of play, this does not appear to be compromised.

> as shown by the fact that malware (and legitimate programs!) can read the Firefox local password database.

Is this also the case for Safari? I have not read anything to this effect.

GauntletWizardOP9y ago

I'll admit that the OSX Keychain has advantages - Offering OS-managed secure storage, with the possibility of the OS authenticating requests for credentials with the user is pretty cool. But as Chrome is cross-platform, and there's not standardized and similar APIs on Linux and Windows, I don't think it's the right move to have an OSX exclusive implementation that uses that api.

libertymcateer9y ago

> But as Chrome is cross-platform, and there's not standardized and similar APIs on Linux and Windows, I don't think it's the right move to have an OSX exclusive implementation that uses that api.

That is a very fair point, which I will take into consideration.

mschuster919y ago

> It uses the OS level encryption

So all the NSA/CIA needs is a XNU kernel exploit which they need anyway for iPhone root exploits. Then, intercept the securesettings API or just do a raw memory dump of the browser process.

And the NSA has another card they can play, and that way easier on Apple than on the fragmented Windows ecosystem: all the tiny chips on your motherboard (EC, or any chip on the PCI bus which has DMA) can read and parse the RAM. Given that there is a highly limited number of different Mac EC chips and even then Apple likely uses the same firmware across them, it's easier for CIA/NSA to develop an exploit for these and don't care about kernel at all.

j / k navigate · click thread line to collapse

0 pointsGauntletWizard9y ago0 comments

0 comments

libertymcateer9y ago

> Why? Because that's a false sense of security. Chrome would have to also store the encryption key, and store it in the same place and under the same access controls as the encrypted data.

> as shown by the fact that malware (and legitimate programs!) can read the Firefox local password database.

Is this also the case for Safari? I have not read anything to this effect.

GauntletWizardOP9y ago

libertymcateer9y ago

> But as Chrome is cross-platform, and there's not standardized and similar APIs on Linux and Windows, I don't think it's the right move to have an OSX exclusive implementation that uses that api.

That is a very fair point, which I will take into consideration.

mschuster919y ago

> It uses the OS level encryption

So all the NSA/CIA needs is a XNU kernel exploit which they need anyway for iPhone root exploits. Then, intercept the securesettings API or just do a raw memory dump of the browser process.

j / k navigate · click thread line to collapse