> On 2016-08-30 01:16, johnyju...@sigaint.org wrote: >> Say someone compromises the dom0 encrypted drive password, and >> then goes shuffling through the private.img file of the AppVM's to >> get at Firefox's passwords...? The VM itself wouldn't have to be >> running corrupt code for that, and keeping the passwords out of >> Firefox prevents that attack. >> >> (Firefox's master password could also help prevent such attack, I >> guess. Is strong crypto used for that? It's still a single point >> of failure, but so is the keepass master password. At least with >> keyfiles and physically taking the device with me, that keepass >> single point of failure is mitigated.) >> > > Qubes is designed with the assumption that if dom0 is compromised, the > whole system is compromised. So, from a "standard" Qubes perspective, > it doesn't really make sense to talk about protecting Firefox > passwords when dom0 is assumed to be compromised. If your threat model > differs significantly from this assumption, then you may need to > specify it in more detail.
Understood. I think most of my security violations in the past were done remotely, and with dom0 having no networking, that risk is quite low. There have been occasions where I suspected physical access and a keylogger/camera, however. Notwithstanding "dom0 is compromised and you're screwed," there is one threat model where Firefox passwords are less safe, possibly: With a hardware keylogger or an over-the-shoulder-camera, one can glom the root disk password (and any Firefox master password). Then when you're out (or via a network card management mode, BIOS trojan, whatever) get into the system, go through the .img files to find the Firefox passwords. All of your online passwords are revealed at that point. If the passwords only existed in keepass on a removable USB drive, then they're safely with you. Even if that keylogger grabbed your keepass password, it's no good to any attacker. And the passwords have never been typed, so any keylogger/camera doesn't have them. Yes, an attacker who gets into the system could at that point plant trojans, but if you have in place other intrusion detection mechanisms (not necessarily just on the computer) you can be aware of that fact, and redo the system from a backup. Your computer may be toast, but your email and online world is still safe. I guess if you never typed your Firefox master password, but used keepass for it, too, and assuming Firefox's password storage is strongly encrypted, then your passwords are still pretty safe in case of a dom0 violation. Whenever you start stacking "if's" like that, though, I start feeling less secure. :) I do know the passwords can't be stolen if they're not on the system and have never been typed, short of the system already having been compromised. I don't know enough about Firefox's master password encryption to trust it 100%. Faulty assumptions have cost me dearly in the past, so I try to make as few as possible these days. > P.S. - Please keep the list CCed (unless there's a special need for > privacy, in which case, use PGP). I definitely will share the results with the group. There's won't be anything in the setup whose revelation would reduce my own security. :) But I appreciate the sensitivity. > I've noticed that you keep CCing > "qubes-users@goog" instead of "qubes-users@googlegroups.com". Apologies. I'll be more careful cleaning up the To/Cc on mailing list replies in the future. sigaint was truncating the field, and I neglected to notice (until the bounce). Hey, at least I'm not still top posting. :) JJ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/31e6bb44f35bf1ca07a10ddc3c8bb34f.webmail%40localhost. For more options, visit https://groups.google.com/d/optout.
