>I wouldn't want a vm inserting anything in dom0. You're *still* spreading this nonsense? After what I just said?
I don't know how much more clearly I lay this out, but let's give it a shot: Nothing is being 'inserted' into Dom0 and this does not in any way "open up" Dom0. This is a one-way street from Dom0 to the AppVMs, utilizing channels that already exist, and it could not function at all unless the tool was running *and* the user had manually set up a list of passwords in Dom0. Even if VMs are *completely compromised*, they remain unable to insert any information whatsoever into Dom0, they remain unable to generate the key combination that activates the tool, and in case of a spoofing attack (in the context of a total VM compromise, which goes far beyond the spoofing scenario suggested by M. Ouellet) they remain unable to request any passwords that the user had not previously earmarked as being associated with *that specific VM*. The Qubes isolation-based security model is thus being entirely preserved here. The aforementioned 'minor convenience' of the flow of information going the other way isn't being discussed at this time. It's not worth the bother and security implications, which is why I said that such functionality should wait until a more mature version of the tool comes along--a tool that probably doesn't utilize window titles at all and probably doesn't run in Dom0. And that feature might not even need to be implemented; there might be no real benefit vs. simply entering everything directly into the offline VM. I haven't thought about it yet! Because it isn't being discussed! As a *minor* convenience, it simply isn't on my radar right now. The concept was mentioned only to emphasize that it is what I am NOT suggesting. Capisce? Once again, the simple-to-create prototype version of the tool being talked about consists of Dom0 looking at window titles and then information flow occurs in a one-way street from Dom0 to the AppVMs, uses existing channels. Other than an optional anti-spoofing browser extension, the VMs would remain *entirely* ignorant of the existence of this tool, meaning that an attacker who entirely compromised a VM would not and could not know whether or not the tool were installed or running in Dom0. >I personally find you suspect. I'd tell you what I personally find you to be, but I don't wish to be locked up in solitary confinement. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b3381dac-bf82-41f6-bd09-1cb498b24aa9%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.