← Back to team overview

unity-design team mailing list archive

Re: [Fwd: Re: Update manager] - a secure way to ask for information

 

On Tue, Jun 16, 2009 at 1:00 PM, Vincenzo Ciancia <ciancia@xxxxxxxxxxx>wrote:

> On 16/06/2009 mac_v wrote:
>
>> In no way the system should decide what windows it can open...
>> If this is allowed it is only a matter of time before someone develops a
>> worm which uses this behavior and pops-up a window similar to the update
>> manager which also asks for the user password allowing the worm to take
>> control of the system using this password info.
>> *Is ubuntu only going to realize this security risk after someone*
>> *develops a proof of concept worm or a real virus* ?
>> If this is done linux will no longer be THE secure OS.
>> All windows in the window list should only be triggered by the user, all
>> other system process should only trigger a notification.
>>
>
>
> Do you think it is easy to design a webpage that simulates such a "password
> fraud"? I see a difficulty here due to having to dim the whole screen to
> look like the standard password request, not that an user would not enter it
> in any kind of pop-up.
>
> On the other hand, I have an idea for a secure way to ask for user input.
> In the installer, the user choses her own password, and the "secret phrase"
> which will be written in a root-only accessible file. This sentece will be
> shown to the user by the system when a password is asked and will
> autenticate the system with the user. The user should then be instructed not
> to enter his own password unless the right phrase is seen. A random phrase
> may be suggested automatically from a huge list

A few websites use a similar trick and display a custom image which the user
chooses. I think it's a bit of a better solution than using a phrase,
because people are more likely to notice if it changes.

-Natan

Follow ups

References