← Back to team overview

unity-design team mailing list archive

Re: [Fwd: Re: Update manager] - a secure way to ask for information

 

On 16/06/2009 mac_v wrote:
In no way the system should decide what windows it can open...
If this is allowed it is only a matter of time before someone develops a worm which uses this behavior and pops-up a window similar to the update manager which also asks for the user password allowing the worm to take
control of the system using this password info.
*Is ubuntu only going to realize this security risk after someone*
*develops a proof of concept worm or a real virus* ?
If this is done linux will no longer be THE secure OS.
All windows in the window list should only be triggered by the user, all
other system process should only trigger a notification.


Do you think it is easy to design a webpage that simulates such a "password fraud"? I see a difficulty here due to having to dim the whole screen to look like the standard password request, not that an user would not enter it in any kind of pop-up.

On the other hand, I have an idea for a secure way to ask for user input. In the installer, the user choses her own password, and the "secret phrase" which will be written in a root-only accessible file. This sentece will be shown to the user by the system when a password is asked and will autenticate the system with the user. The user should then be instructed not to enter his own password unless the right phrase is seen. A random phrase may be suggested automatically from a huge list.

Vincenzo



Follow ups

References