LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

attacks

attacks

Posted Dec 20, 2011 19:39 UTC (Tue) by nybble41 (subscriber, #55106)
In reply to: attacks by dlang
Parent article: Razor-qt 0.4 released

The dialog doesn't need to be system-modal. It just needs to ensure exclusive access to the keyboard as long as it has the focus so that nothing else can observe your password.

Note that you're still vulnerable to impersonation attacks, since any other program can pretend to be the system dialog and capture your password that way. A reserved, unblockable shortcut key helps, but doesn't entirely eliminate the issue. To block this sort of attack you need some form of secure channel (like a dedicated LED) with which to indicate that the system dialog has successfully reserved the keyboard focus.

(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds