- If we consider a compromised VM with:
- passwords saved in the browser: an attacker can obtain all passwords
- your proposed password manager: an attacker can still obtain all
passwords, just needs to wait for them to be used
- If we consider a non-compromised VM with:
- passwords saved in a browser: an attacker can not obtain passwords
- your proposed password manager: an attacker can obtain passwords
by changing window titles during authentication (which may or may not
be *detected* by a sharply observant user, but could still not be
*prevented* by one)
Therefore, your proposed solution is actually appears worse from a
security perspective (aiming to guarantee password confidentiality)
than just saving passwords in your browser!
Your argument appears to reduce to "This may be theoretically
exploitable, but the ease of implementation and additional convenience
is more important to me", which assumes your adversary is not
sufficiently {resourced, motivated, creative} to exploit that
theoretical weakness against you. For many users this assumption and
associated trade-off may be fine... however they are quite strongly
rejected in the arguments motivating the design of Qubes.
The key difference between this and the passwordless sudo argument you
bring up is that the qubes security model explicitly assumes that
user->root privilege escalation within a VM is possible, and designs
around that fact. Meaning, assuming the security assumptions of Qubes
[1] hold, passwordless sudo is *not* a theoretical weakness [2].
[1] which have nothing to do with assuming weak/unmotivated adversaries
[2] unless Xen vulns affecting Qubes are somehow more exploitable from
kernel vs. userspace within a VM *and* the adversary does not also
have a linux privesc exploit (which history has shown to be quite
unlikely)
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/CABQWM_DFw3_%2BD5XViMkie7mn4x60WgQ7yvYVPhhXdzpxoBoMhQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
