undefined | Better HN

0 pointsmd_9y ago0 comments

Yep. Same. And I would probably have posted a longer and less confrontational explanation of why you're (mostly) wrong if I weren't tired after a long day of work. ;)

The whole "why not encrypt local resources" thing is an odd red herring that a lot of (even fairly experienced) people trip over. There was a massive public furor over Chrome's chrome://settings/passwords (i.e. lack of a master password) design choice a couple of years ago that was a specific such case in point.

0 comments

libertymcateer9y ago

This argument is almost exactly what I was on about. I'd love to see some summary of it and why they came down where they did.

md_OP9y ago

Sorry. I went to bed. I'll frame the basic argument for Chrome and then show how it expands to other systems.

Chrome: =======

Someone who can access chrome://settings/password is presumed to have physical access to your powered-on, unlocked machine. E.g. someone who sits at your keyboard when you get up for coffee.

And that person can just as easily install a Chrome extension that sniffs your passwords or steal your raw auth cookies directly from the developer console. (He could even paste some JS into the developer console to intercept the password as-typed by autocomplete!)

(Note that an attacker with access to a locked/powered-off machine or with no local access is not part of the threat model, since they are presumed to be addressed by FDE, screen locks, remote access controls, etc.)

Now, the major counterargument is essentially that a lot of unsophisticated attackers (like spouses) may not know about cookie jars or JavaScript, but they know about "view saved passwords." I find this argument somewhat reasonable, but from some vantage point it's security theater--not knowing about ctrl+j isn't a strong security guarantee, after all. So I view the Chrome team's stance as being a very principled one, namely: don't invest in "security" features where a bypass would not be a bug.

(In some literature this is referred to as a "security boundary", typically defined as "a control which, if bypassed, has a bug." Note the contrast with, for example, spam filters and antivirus, which may be sometimes bypassed while working as intended.)

More generally: ===============

I think what was lacking in this conversation in general was a firmly defined threat model and a firmly defined security boundary. My contention about per-application encryption is that it doesn't represent a security boundary because any attacker who can execute code that can read application-ACL'ed data on disk is by definition either running code at a higher security level (e.g. has root) or is running code at the same security level (and can thus inject code into the browser process itself).

This conversation gets a little more complex when talking about mobile OSes that have per-application sandboxing, but the same observation effectively holds.

Anyway, I'm tired of typing, but hopefully that makes a bit of sense. Let me know if I'm being confusing.

libertymcateer9y ago

So, tell me what I am misunderstanding here:

* On OSX, OS passwords are stored in the keychain. * However, Chrome stores passwords in a local SQLite database https://www.howtogeek.com/70146/how-secure-are-your-saved-ch..., which, on osx, I believe is in your Application Support Folder ("ChromeDB") * The user, who is not root, has read/write access to the ChromeDB * Is it not the case, then, that any script that has user-level permissions can access the Chrome passwords? Because Chrome is not available through the app store, it does not store passwords on the OSX keychain, which, again, correct me if I'm mistaken, requires higher permissions to read? So that, for instance, a malicious script that only had user-level permissions could not access the contents of databases encrypted with credentials stored in the keychain?

1 more reply

j / k navigate · click thread line to collapse

0 comments

libertymcateer9y ago

This argument is almost exactly what I was on about. I'd love to see some summary of it and why they came down where they did.

md_OP9y ago

Sorry. I went to bed. I'll frame the basic argument for Chrome and then show how it expands to other systems.

Chrome: =======

Someone who can access chrome://settings/password is presumed to have physical access to your powered-on, unlocked machine. E.g. someone who sits at your keyboard when you get up for coffee.

More generally: ===============

This conversation gets a little more complex when talking about mobile OSes that have per-application sandboxing, but the same observation effectively holds.

Anyway, I'm tired of typing, but hopefully that makes a bit of sense. Let me know if I'm being confusing.

libertymcateer9y ago

So, tell me what I am misunderstanding here:

1 more reply

j / k navigate · click thread line to collapse