Tuesday, August 13, 2013

Et tu, Google?

I was just reading through the comments over at theYcombinator comments about Elliott Kember’s blog about Chrome. I am shocked. You, as my only reader, are already familiar with the fact that my hobby, education, and profession are all security. Initially software, but expanding to just security.

Not only shocked, but absolutely appalled. Mister Kember is writing about how Chrome has revealed that OS X provides programmatic access to your “Keychain” without requiring a password. Think about that again. OS X pretends to be guarding your passwords, but... not really. About half the comment replies are attacking Google, for not protecting something which is not otherwise protected!

What the Google haters are asking for is no different than “encrypting” your passwords.txt file by renaming it passwords.exe. Sure, it means that your Grandma can’t double click on the desktop icon to read them, but it doesn’t mean it is secure.

Justin Schuh, from Google, had this to say about the password security...

I'm the Chrome browser security tech lead, so it might help if I explain our reasoning here. The only strong permission boundary for your password storage is the OS user account. So, Chrome uses whatever encrypted storage the system provides to keep your passwords safe for a locked account. Beyond that, however, we've found that boundaries within the OS user account just aren't reliable, and are mostly just theater. Consider the case of someone malicious getting access to your account. Said bad guy can dump all your session cookies, grab your history, install malicious extension to intercept all your browsing activity, or install OS user account level monitoring software. My point is that once the bad guy got access to your account the game was lost, because there are just too many vectors for him to get what he wants. We've also been repeatedly asked why we don't just support a master password or something similar, even if we don't believe it works. We've debated it over and over again, but the conclusion we always come to is that we don't want to provide users with a false sense of security, and encourage risky behavior. We want to be very clear that when you grant someone access to your OS user account, that they can get at everything. Because in effect, that's really what they get.

… and it is all true. Thank you, Google for concerning yourself with true security instead of faking it.

Now, onto my list of favorite fails from the comments!

  1. This sets up a situation where Chrome actually circumvents and makes passwords originally stored in Safari less secure than they were initially - Without having a Mac to research, I can’t say for sure, but it sounds like neither Chrome nor Safari are storing the passwords on a Mac, they use the operating system keychain. Which obviously doesn’t require a password to access or Chrome couldn’t do it.
  2. This concerns me. I have friends that I would not trust around my computer now because... - Sorry mate, you shouldn’t be trusting those friends to access your computer then. Think a bit more about what all you are exposing yourself to. Chrome isn’t the problem.
  3. Also, going off what you have said, the "locking" process in windows is pointless since it offers a false sense of security. It can be broken just by rebooting the computer with a boot disk, right? - A rebooted machine has wiped system state and still doesn’t gain the attacker anything if you defended against it. *cough* disk encryption *cough* Applications can’t reasonably defend against the OS and the OS can’t defend against the hardware. Thems the breaks.
  4. that does make it psychologically harder - When your standard of security is “I’m protected against someone that doesn’t want to attack me” then you have lost. Leave up a sign that says “Key under mat” or don’t lock your door, neither is protecting you.
  5. Yes, but by your reasoning, surely obfuscating passwords when inputted into websites is also pointless, yet you do do this in Chrome - Masking passwords is not done to protect them from the user, it is done to protect them from anyone with visible access to the screen.

You only defend against the threats you try to defend against. Chrome has decided to not try to defend against the malicious user legitimately logged into your system, because they can’t. Not really. It even says so in their FAQ Why aren't physically-local attacks in Chrome's threat model?! So, either use Chrome as it is or don’t. Just realize that that whatever else you use is failing to protect you from a malicious user too. How long does it take to steal your Chrome passwords? No longer than it takes to install a RAT from a thumbdrive!

The title is just amusing to me, I don't feel betrayed by them at all. In fact when I forgot a password I had saved, Chrome reminded me. And I was glad for it.

No comments:

Post a Comment