Ubuntu QA:
BlogBrainstormPackage status
Log in
Ubuntu QA
The Ubuntu community has contributed 22700 ideas, 138270 comments, 2629576 votes
Idea sandbox Idea sandbox
Popular ideas Popular ideas
Ideas in development Ideas in development
Implemented ideas Implemented ideas
Idea #22120: Preventing unwanted eyes prying on confidential information

Written by humphreybc the 29 Oct 09 at 03:31. Related project: Gnome. Status: New
Rationale
Despite needing to enter your root password to alter such basic things as CPU Scaling, you are not once prompted to enter it to access the Passwords and Encryption Keyring. Anyone is able to view your stored MSN, Twitter, email and Wifi passwords in four simple clicks of the mouse from the desktop.

How to reproduce:

1. Restart your computer and login. Do not enter any passwords after your desktop has loaded.

2. Go to Applications > Accessories > Passwords and Encryption Keyrings

3. Click on the 'Login' folder to drop down and view the programs that store data here.

4. Double click on something you want to look at.

5. Click Password to show some dots, then uncheck the box below the dots marked "Show password"

6. Note that throughout this whole procedure, not once were you prompted to enter in anything that verifies you are authorized to view this information.

This is a security risk, and, because it is a conscious decision for design, not classified as a bug.

Here's the related Ubuntu Forums thread:
http://ubuntuforums.org/showthread.php?t=1302342

and, a post on omgubuntu.co.uk:

http://www.omgubuntu.co.uk/2009/10/security-issue-in-gnome-lets-anyone-see.html

-----------



18
votes
up equal down
Solution #1: Prompt to enter user password before showing stored passwords in clear text
Written by humphreybc the 29 Oct 09 at 03:31.
The Seahorse program should prompt you to enter in your user password, much the same way that sudo works, before allowing the stored passwords to be displayed in clear text.

Also, the "Passwords and Encryption Keys" Application should be moved to Preferences.
10
votes
up equal down
Solution #2: Unify Ubuntu personal security.
Written by snkiz the 29 Oct 09 at 04:11.
this is my thought on how to fix it.

The way I see it Ubuntu is almost there, seahorse does ask permission
just no confirmation. And we do have the tools like gconf. And
policykit, witch can handle non-root permissions and IMO is way under
used.

Here's my idea, create a sane list of default apps that can access
seahorse. The ability to change that list through gconf, and
permission checks through policykit for unexpected apps, changing info
or viewing passwords. And finally come up with a unified personal
security policy for the desktop as a whole. (IN about me you need your
password to change your password and about me does not display clear
text.)
0
votes
up equal down
Solution #3: Don't show passwords in plain text
Written by daithi the 27 Nov 09 at 03:04.
Why is there even an option to show passwords in plain text from within a GUI application? This option should be removed, especially if the other solutions are likely to be difficult to implement in practice.
0
votes
up equal down
Solution #4: Require user password before showing passwords in keyrings
Written by zorkerz the 2 Dec 09 at 03:15.
The Seahorse program should prompt you to enter in your user password, much the same way that sudo works, before allowing the stored passwords to be displayed in clear text.

Note: this is the same as solution #1 except that the seahorse launcher "Passwords and Encryption Keys" should remain under applications.
-2
votes
up equal down
Solution #5: Temporary Solution: Educate people
Written by agrouo the 15 Dec 09 at 01:56.
When using a graphical tool for key management (e.g. seahorse) for the first time, tell the people that their passwords and account are generally not safe and they should resort to locking their session and let others use the easily accessible guest account.

(not denying the bigger, but most probably quite harder problem, of securing passwords)
-1
votes
up equal down
Solution #6: Authentication service instead of password store
Written by agrouo the 15 Dec 09 at 02:37.
Generally switch to a better security scheme than passwords. Especially, where no direct user interaction is necessary.

Aims
* preventing programs from accessing passwords of other programs
* avoid using passwords as far as possible

How
* if possible use mechanisms without passwords (e.g. mail account AUTH DIGEST)
* reconstructing passwords should happen in different applications

This consists of three parts:
1) allow programs to let the service handle authentication for them (e.g. mail program lets the authentication service handle AUTH DIGEST authentication, so it doesn't need to see the password at all)

2) restrict access to stored information to the right programs (see Solution #2)

3) For applications which need to use password: instead of storing user-entered passwords to be accessed by the application, store keys which the application needs for decrypting the real passwords.
In this way, attacks would have to be crafted for specific applications, not only against the password store.


Propose your solution

Attachments
forum Ubuntuforums.org thread #1302342


Duplicates


Comments
No comments.

Post your comment