Hi: Joanna and I had a quick back-and-forth about this article today: https://textslashplain.com/2017/01/14/the-line-of-death/
Pic-within-a-pic attack was mentioned, and I was wondering if we can do more to prevent spear-attacks aimed at Qubes users. I'm willing to bet your trusted work terminal looks exactly like this [1] (except my added bash powerline bits). Most people won't rename it from [work] to something else (partly for ease of copying files between VMs, partly out of inertia), so I'm willing to bet most of you would have a blue frame with the title "[work] user@work:~".
What if each login session generated a short random text label displayed prominently as part of XFCE top bar UI, to act as your "session UI fingerprint," like "<XoaZ>" for the sake of example. Then the window decoration title would be:
<XoaZ>:[work] user@work:~Identifying pic-within-a-pic attacks would be easier by quickly checking if the random string in the window title matches the string displayed in the XFCE ui (our "trusted pixels").
Just a thought for your consideration -- I have no idea how much work this would be. :)
.. [1] http://imgur.com/a/7Fzd0 -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/20170118210627.GA6668%40gmail.com. For more options, visit https://groups.google.com/d/optout.
signature.asc
Description: PGP signature
