-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ray Strode wrote on 28/09/10 02:12: >... > On Mon, Sep 27, 2010 at 3:44 PM, Milan Bouchet-Valat > <[email protected]> wrote: >... >> Now, the problem is that it's hard to associate a PolicyKit dialog to >> a window. Maybe the API should be changed to pass the parent window to >> the daemon and back to the authentication agent. Not sure there are >> other solutions.
Canonical contributed exactly this solution. <http://bugzilla-attachments.gnome.org/attachment.cgi?id=143961> > This is discussed somewhat on the SystemDialogs page: > > For example, a user shouldn't be able to sideline a system password > dialog, because entering the password is a very important task that > the user should be acutely conscious of. We don't want to desensitize > the user from the risks of giving their password to anything that asks > for it. In this vein, system password dialogs should look distinct, so > that when a non-system dialog asks for the password the user questions > whether or not to proceed. Making the dialog system-modal would be one way of achieving that, but there are less rude ways. One suggested by the Ubuntu security team, which I think is a great idea, is to display the user's account icon in the password dialog. It would still suffer from the Simon-says problem (relying on you to notice the *absence* of something), but so would making it system-modal or pretty much any other visual solution. The main challenge then would be discouraging people from using the same picture for their user account icon (which a malware page couldn't know) as they do for their Facebook/Twitter profile (which it might). > and there's a bug report about it here: > > https://bugzilla.gnome.org/show_bug.cgi?id=596260 > > I'm not sure the malware argument is that strong. I mean if you've > got malware installed, it can just snoop your password as you type it > into a real, valid password dialog. Figuring out a proper solution > for that is the "trusted path" problem, which is just not something > that anyone is trying to solve yet. >... Right. The attack worth defending from here is imitation password dialogs in Web pages. If you've got a malware executable running on your computer, you've already lost. - -- Matthew Paul Thomas http://mpt.net.nz/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkyh9SAACgkQ6PUxNfU6ecqwqgCgkFivTf140Kob/Ghy2V4UGhoB a5sAn0yelXP+Rr9x6mGhXpN37BUykePe =E5fi -----END PGP SIGNATURE----- _______________________________________________ gnome-shell-list mailing list [email protected] http://mail.gnome.org/mailman/listinfo/gnome-shell-list
