Le 09/01/2014 20:25, Bill Spitzak a écrit :
Martin Peres wrote:
We don't need to trust the client much if we limit the number of
screenshots to 1. This way, the worse thing that could happen for
your privacy would be if your cat sits on the keyboard and presses
"print screen" all the time while you key in sensitive information
(unlikely, right?), even if the app just
This is not true. The server can refuse to feed the application with
more than one screenshot. This severely restricts the possibilities
of using this feature to spy on what a user is doing.
I just don't believe this is going to work.
Screenshot applications I have seen are triggered by a key, yes, but
all of them then show the initial screenshot to the user and then
allow the user to change parameters and make a second screenshot. I
suppose restricting the ui so that the user must hit the same key to
trigger a second screenshot may work, but I am very worried about any
scheme that forces ui decisions on clients.
Yes, X11-style screenshot apps won't work but this is for a good reason,
isn't it? And as far as I know, most users on Windows do not use any
application for screenshots, they just press "print screen" and paste
that in paint/whatever.
With my proposed solution, the app would only be used to edit the
screenshot (crop, resize). Different hot keys would be used depending on
if you want to grab a window, a screen or all the screens. Is that that
difficult onto users? Any other solution will result in lost
confidentiality and, please, let wayland compositors be the only ones
that cannot be spied on easily!
Another concern is that a malware screenshooter could just fake
it(maybe copying an old screenshot) and then delay until the critical
time to take the screenshot. A timeout or cancel after too many other
surfaces are created/destroyed may work but this is sounding like
complexity to solve a pretty non-existent problem.
Pressing another time would spawn another program, not increment a
counter of "allowed screenshots".
The video capture API concerns me more.
But on Windows most fancy screenshooter applications do both. And
users do not think of these as being different.
Users do not think them as being different because that's what they
learnt. Should we keep on doing the same mistakes and carry than legacy
thinking? Should we loose confidentiality just for the fringe amount of
users who want a common GUI for screenshooters across all wayland
compositors? You know my answer...
I think you just have to assume that the bound application is "good"
and is doing what the user wants, even if it can take numerous
screenshots or opens the video api.
No constant access control == no security. Clients should never be
trusted. I trust the server because it is the one implementing the
service, but that's it.
I'm not trying to be mean or anything, I'm just trying to map some
expected requirements with what can be done. The only thing that
concerns me is to find the solution that lowers the confidentiality risk
while still being as usable as possible.
_______________________________________________
wayland-devel mailing list
wayland-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/wayland-devel
