| |||||||||||||
attacksattacksPosted Dec 20, 2011 18:59 UTC (Tue) by dlang (✭ supporter ✭, #313)In reply to: attacks by alecs1 Parent article: Razor-qt 0.4 released
it can be really annoying for a dialog window to grab the focus and not let it go when you want to do something other than respond to that dialog window.
using your example of something that asks for a password, what if you want to access your password safe to get that password?
(Log in to post comments)
attacks Posted Dec 20, 2011 19:31 UTC (Tue) by alecs1 (guest, #46699) [Link]
I stand corrected, I didn't express myself very well and I only meant the root password and own password for sudo.
I'm not insisting that all password requests should acquire total focus, but those that try to implement such a thing should be consistent and stable. I didn't do an analysis of what needs passwords and what not, but I think all system configuration triggered by GUI and which requires additional privileges should do this grab. The password safe should implement some extra security itself too.
attacks Posted Dec 20, 2011 19:39 UTC (Tue) by nybble41 (subscriber, #55106) [Link]
The dialog doesn't need to be system-modal. It just needs to ensure exclusive access to the keyboard as long as it has the focus so that nothing else can observe your password.
Note that you're still vulnerable to impersonation attacks, since any other program can pretend to be the system dialog and capture your password that way. A reserved, unblockable shortcut key helps, but doesn't entirely eliminate the issue. To block this sort of attack you need some form of secure channel (like a dedicated LED) with which to indicate that the system dialog has successfully reserved the keyboard focus.
|
|||||||||||||