Hi On Wed, March 19, 2014 2:06 pm, Alfredo Pironti wrote: > One case I was thinking of is password swapping. Suppose you have a > password for good.com, and one for bad.com. If the attacker can swap the > passwords, next time you'll try to log into bad.com, you'd be giving the > attacker your password for good.com.
That's an interesting idea. They don't even need to swap, just overwrite bad.com would be enough. It would also be harder to detect as all the passwords could continue to work (as bad.com is cooperating). To further that thought, it is not necessary that bad.com is cooperating with the attacker. If the attacker has access to victim network traffic, a single plain http (as opposed to https) site login in the pass repo would be enough to leak the good.com password. > Using git-level signature ensures integrity of the data on the remote > repository, but not of the local data. Hence, you get protection from > attackers controlling a git repository, but not from attackers being able > to write into your home directory. If you want to protect also from local > attackers, then pass-level signature seems to be required. I'm not sure I know what you mean by local and remote attackers, best guess is: Local attacker - can modify a pass repo that is being directly read/written with pass. Remote attacker - can modify a pass repo that is only pushed/pulled via git and not directly modified. If this is the case, then I think pass can not even attempt to address local attackers - if they can read and write your files they can just as well backdoor your pass/gpg binaries and/or snoop your passwords from the terminal. So covering the remote attacker case with git-level signatures would be enough to address this. It sounds like it would be possible to do this by default if needed, Jason, wdyt? -- Siim Põder _______________________________________________ Password-Store mailing list [email protected] http://lists.zx2c4.com/mailman/listinfo/password-store
