Agreed, I think the response of the Chrome security team is “disappointing”, to quote Tim Berners Lee. I just blogged about this<goo.gl/zeIkz8> .
-- Cédric -- Cédric On Wed, Aug 7, 2013 at 10:05 AM, Fabrizio Giudici < [email protected]> wrote: > I had this question in mind for some time to ask here, but so far I didn't > because after all was a well known theme. But I see that the point has been > reprised by Engadget, so I have the excuse of commenting its post ;-) > > > http://www.engadget.com/2013/**08/07/chrome-saved-passwords/<http://www.engadget.com/2013/08/07/chrome-saved-passwords/> > > https://news.ycombinator.com/**item?id=6166731<https://news.ycombinator.com/item?id=6166731> > > Key point: Chrome doesn't protect user passwords with a master key. Google > says that, beyond the o.s. login, everything else is "just theater" and > would provide "a false sense of security", encouraging "risky behaviour" by > the user. > > With all the respect that I owe to Google and its engineers... may I > humbly say that this sounds to me as supreme nonsense? It sounds as saying > "listen, a fence is just theater as it takes ten seconds to be broken. So > we didn't build any fence around our plant". Still, all the military bases > I know have a fence as the first level of protection. I've never seen one, > but I guess that Google data centers are protected by a fence too. Are > those guys just stupid? > > Out of the metaphor: I've always understood that good security is made by > a layer of things, the former ones could be even easily breachable, but > they act as a first gross filter. > > Practically, I've learned Google's point a few weeks ago when I moved to > Chromium. I applied their point, making sure that Google data are on an > encrypted partition; and I've always taken care of my laptop, e.g. making > sure that when I move the encrypted partition is unmounted. This of course > to protect a whole bunch of data other than Chromium passwords. Still, > sometimes you can get distracted for just a few seconds and I don't think > it's human to ask people to lock the screen when they just turn around. A > master password would just prevent the nearby co-worker from peeking his > nose in such circumstances. Without master password, it's really a matter > of seconds to get to the passwords. > > Your opinion? > > > -- > Fabrizio Giudici - Java Architect @ Tidalwave s.a.s. > "We make Java work. Everywhere." > http://tidalwave.it/fabrizio/**blog <http://tidalwave.it/fabrizio/blog> - > [email protected] > > -- > You received this message because you are subscribed to the Google Groups > "Java Posse" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to > javaposse+unsubscribe@**googlegroups.com<javaposse%[email protected]> > . > To post to this group, send email to [email protected]. > Visit this group at > http://groups.google.com/**group/javaposse<http://groups.google.com/group/javaposse> > . > For more options, visit > https://groups.google.com/**groups/opt_out<https://groups.google.com/groups/opt_out> > . > > > -- You received this message because you are subscribed to the Google Groups "Java Posse" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/javaposse. For more options, visit https://groups.google.com/groups/opt_out.
