← Back to team overview

desktop-packages team mailing list archive

[Bug 1534645] [NEW] Cannot easily preserve a keyring to be only unlocked manually

 

Public bug reported:

Assume you want to create a keyring for secrets that you only need
rarely and thus want to access only on demand (not unlock on every login
session).

Whenever you access/unlock the keyring for the first, second, etc. time,
the "Unlock keyring" dialog asks for the password and has a preselected
checkbox "Automatically unlock this keyring whenever I'm logged in".
This is however not the current setting for this keyring, so it
constitutes a change of a setting, which counteracts the (likely)
intention of the user.

It is to easily to type the password and hit enter, thereby changing
this keyring to an automatically unlocked one, and this risk happens
repeatedly everytime you unlock it. In case you forgot to uncheck the
checkbox, the only way to restore the original setting is hidden (not in
keyring → properties, but only by setting a new password).

A security-focused application should also not have defaults that tend to decrease security in favor of usability.
Having the checkbox preselected gains less extra usability (for the case the user wants to change the keyring to be automatically unlocked: 1 click saved) than that it decreases usability (in case the user wants to keep the keyring manual: 1 click everytime to unselect it).

A possible fix is to not preselect the checkbox.

version 3.10.2 in Ubuntu 14.04 as well as in the version in Ubuntu 15.10

** Affects: seahorse (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to seahorse in Ubuntu.
https://bugs.launchpad.net/bugs/1534645

Title:
  Cannot easily preserve a keyring to be only unlocked manually

Status in seahorse package in Ubuntu:
  New

Bug description:
  Assume you want to create a keyring for secrets that you only need
  rarely and thus want to access only on demand (not unlock on every
  login session).

  Whenever you access/unlock the keyring for the first, second, etc.
  time, the "Unlock keyring" dialog asks for the password and has a
  preselected checkbox "Automatically unlock this keyring whenever I'm
  logged in". This is however not the current setting for this keyring,
  so it constitutes a change of a setting, which counteracts the
  (likely) intention of the user.

  It is to easily to type the password and hit enter, thereby changing
  this keyring to an automatically unlocked one, and this risk happens
  repeatedly everytime you unlock it. In case you forgot to uncheck the
  checkbox, the only way to restore the original setting is hidden (not
  in keyring → properties, but only by setting a new password).

  A security-focused application should also not have defaults that tend to decrease security in favor of usability.
  Having the checkbox preselected gains less extra usability (for the case the user wants to change the keyring to be automatically unlocked: 1 click saved) than that it decreases usability (in case the user wants to keep the keyring manual: 1 click everytime to unselect it).

  A possible fix is to not preselect the checkbox.

  version 3.10.2 in Ubuntu 14.04 as well as in the version in Ubuntu
  15.10

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/seahorse/+bug/1534645/+subscriptions