-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Sun, May 21, 2017 at 01:45:42PM -0500, Andrew David Wong wrote: > On 2017-05-21 03:45, tokidev wrote: > > Am 21.05.2017 um 01:54 schrieb Andrew David Wong: > >> On 2017-05-17 23:49, tokidev wrote: > >>> Hello everyone, > >> > >>> like the subject already says, I'd like to request for a feature which > >>> shows the exact clipboard size when hitting the magic hotkey Ctrl-Shift-C. > >> > >>> Due to lack of hardware, I didn't test if this is already the case, but > >>> I couldn't find any suggesting. > >> > >>> AFAIK, after hitting the mentioned hotkey there appears a dom0 message > >>> box confirming that hit. This seems to be the ideal place where to > >>> inform the user about the current clipboard size. > >> > >>> The aim is to enable the user to estimate if the clipboard seems to be > >>> reasonable without parsing it. As Joanna mentioned here [1], parsing is > >>> potentially dangerous. So, this feature here could be a practicable > >>> middle course. > >> > >>> I know that this should not let the user feel safe. Even with this > >>> feature, it's still potentially dangerous to copy from a less trusted VM > >>> to a more trusted one. However, this feature could prevent some > >>> malicious attacks in an easy way, independent from the trust to a VM. > >> > >>> Let's say, a malware tries to put harmful code into the clipboard a > >>> hundred times per second, thus, it'll override the users clipboard > >>> content before pasting it and also before hitting Ctrl-Shift-C. Okay, I > >>> have to admit that an even smarter malware might keep the size of the > >>> big enough clipboard when putting its payload to it. > >> > >>> Of course, the user should be "trained" in guessing the necessary > >>> clipboard size before using that feature. A new "Estimating Clipboard > >>> Size" documentation section or page, showing examples for ASCII plain > >>> text, UTF-8 plain text, HTML text, images etc., could help. > >> > >>> Besides that, it could be useful to show the size again after hitting > >>> the magic hotkey Ctrl-Shift-V. > >> > >> > >>> What do you think about it? > >> > >>> Kind regards, > >>> Tobias > >> > >>> [1] https://groups.google.com/d/msg/qubes-devel/JJN9GZMmp5s/AW7gzjK1tEgJ > >> > >> > >> > >> Interesting idea. If I understand correctly, it would working something > >> like this: > >> > >> I copy one sentence, and the dom0 notification says something like, > >> "Copied X bytes to the clipboard." > >> > >> But if, instead, I copy one sentence, and the notification says, "Copied > >> X *kilobytes* to the clipboard," then this tips me off that the VM from > >> which I copied has replaced my single sentence with a large, potentially > >> malicious payload. > >> > >> Is that the idea? > >> > >> > > > > Exactly! > > > > It could also work the other way around: Let's say, in the GIMP you copy > > a large bitmap image but afterwards the clipboard is just a few hundred > > bytes big. > > > > I prefer to show the exact number of bytes, besides an optional > > representation with a unit prefix when numbers become very big, e.g., > > "Copied 2,560 bytes (2,5 kiB) to the clipboard." but "Copied 128 bytes > > to the clipboard." > > > > Of course, the bigger the expected clipboard size the more difficult to > > estimate that size. Thus, for providing the user a measure, the message > > could also say something like "This could be a big sentence in plaintext > > or a few file names." or "This could be e.g. a bitmap image of size > > 1024x1024 or an MP3 file of around 2 minutes." > > > > A nicer approach: Assuming that it's safe to extract the type(s) of the > > clipboard content(s) then those estimates could be in relation to that > > type(s), e.g.: > > > > "Copied 2,560 bytes (2,5 kiB) to the clipboard. > > Content type: Uncompressed bitmap image. > > Estimated dimensions: > > - 29x29 pixels at 24-bit color resolution. > > - 50x50 pixels at 8-bit color resolution. > > - 143x143 pixels at 1-bit color resolution." > > > > Tobias > > > > It's an interesting idea. I don't know how useful it would be to most > users. Would most users understand it? Would they even read it? If we > make the messages even longer by adding the "examples," it seems even > less likely they would read it. Trying to report the content type > might require too much parsing. > > What do you think, Marek?
Guessing content type here IMO is a bad idea - it would require parsing arbitrary complex file format in dom0 (*), so would be a huge attack surface. But just clipboard size is perfectly possible. I don't think it would be meaningful security feature (if you expect 2.5 kiB data, it can be still 2.5 kiB data, but completely different), but could be useful for spotting user errors (missing Ctrl-C before Ctrl-Shift-C or so). (*) well, you could imagine using DispVM for that, but starting new DispVM just for showing a bit more verbose message looks like an overkill. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJZIgVOAAoJENuP0xzK19csh4kIAIuc/fBz2Eo+pUyP+Xvnx0dI VPGQl7ha8yYaqhWx1U1Aq6Hc8nlyDWLQuAskey+0br7ClVszT55NgLz4RbpmIdR/ H7CfsrqgNVWGErfsXh3rL/9P2zCtxEtjDp2jcLjPNfq+L36iia/Cb2y4Muz4X+Xq R3YSoxATTMOXFKPdW6druNxI+t+8I5h/i7pJ/MNK2lGxSqwSlJMaTjVGyfm8cZ3a MkKoqxZiXm2XisS5bv8vv83Rj6toZdlmeewibkBRwnVjN1+Ms0iB4oskajaOQkYN YfJgj/tRqEzY/CJS0CI3HqtH7YGUoHEu0stUdF3rcIEo6kQgucjLjra6jSiR4zU= =AYFq -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To post to this group, send email to qubes-devel@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/20170521212326.GP1335%40mail-itl. For more options, visit https://groups.google.com/d/optout.
