On 03/30/2017 10:34 AM, Jean-Philippe Ouellet wrote:
On Thu, Mar 30, 2017 at 5:31 AM, Chris Laprise <tas...@openmailbox.org> wrote:
xdotool also lets you inject keystrokes into windows.
With a shortcut-key assignment this can be easily scripted by the user (you
said this was for power users).
Automatically injecting the keystrokes removes the "just watch the
window title and don't paste if it changed" mitigation which Shane
claimed as sufficient to make this attack preventable rather than just
detectable.
Agreed.
Overall I think this concept is simply too dangerous because you are
ignoring the actual origin of the browser and authenticating based
entirely on fully attacker-controlled information. Sure, you could be
super careful, but you're still pointing the gun at your foot.
Yeah, it could be dangerous, but still might be worth writing for
oneself if the threat model seems appropriate. I wouldn't suggest this
as a Qubes feature.
--
Chris Laprise, tas...@openmailbox.org
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/8ef6bde4-8675-89e7-53d2-c3813a190625%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.
