unity-design team mailing list archive

[Dylan McCall <dylanmccall@xxxxxxxxx>]

On Mon, Aug 2, 2010 at 7:47 AM, Dieki N <dieki.ubuntu@xxxxxxxxx> wrote:
> Currently, Ubuntu will by default require the user's login password when a
> program (Empathy or Gwibber, for instance) attempts to access the system
> keyring, unless the user entered her\his password when logging in. I'm
> guessing this was done for security, to prevent unauthorized users from
> accessing important user passwords. However, there are a number of reasons
> why this is ineffective:
>
> It doesn't apply to FireFox or (In UNE Maverick) Chrome. Normally, these
> applications store far more important passwords than the system keyring.
> It provides no protection from malware, since malware can just display a
> fake keyring password dialog.
> If an unauthorized user obtains access after the user has already unlocked
> the keyring, the protection is lost. (My guess is that most users that use
> the keyring unlock it shortly after login; but I have no real data on this)
>
> The better solution for security-conscious users is to enable home directory
> encryption, which not only protects keyring passwords, but also documents
> and Firefox\Chrome passwords.
> Therefore, requiring a user password for the keyring is nearly useless; and
> it's annoying to have to enter one's password when launching
> Gwibber\Empathy, particularly if they run on startup.
> Based on these reasons, it might be a good idea to use unsafe storage for
> passwords by default, with a good way to turn it on for those users that
> want it.

Gnome Keyring asks you to type in your password when you log in if you
have automatic login enabled, because it NEEDS your password in order
to decrypt the login keyring. (Automatic login is a bit cleverer than
just typing in your password for you, thankfully).

You can set the login keyring to have no password, which leaves it
unencrypted. However, I think that would be pretty ugly as something
in by default. For what it's worth, Chromium _is_ about to use
gnome-keyring / kwallet to store its password. That functionality is
in the current dev builds and quite stable. (As an option:
--password-store=detect). I don't know when it will land as default in
a stable build, but on my computer, at least, that leaves very few
applications storing my passwords in rude, inconsiderate ways. Firefox
is one of those few. There is movement afoot somewhere to create a
desktop-agnostic standard for password / secret storage. At that
point, there is really no reason why Firefox couldn't support it.
Getting that working would be a great course of action rather than
intentionally leaving peoples' passwords floating in the open.

As for encrypting the home directory, that hurts performance, and not
everyone is security conscious for the sake of it; high performance is
going to be important for a lot of those users, too. Besides,
encrypting your passwords is not something that should be limited to
the security conscious. It's generally good practice and it protects
people from a number of malicious computer attacks. This thing
protects ordinary users as much as it protects power users.

Now having said that, I may be more enthusiastic about change if it be
accompanied by configuration dialogs. Perhaps a nice, big "Encrypt my
passwords" button somewhere, alongside "I changed my mind, encrypt my
home folder" :)

Seahorse could certainly be better there. Right now, the only way you
can change a keyring's password is with a right click. It isn't in the
least bit obvious.


Dylan