[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Possible browser security problem

To: list@xxxxxxxxxxxxx
Subject: Re: [LUG] Possible browser security problem
From: Giles Coochey <giles@xxxxxxxxxxx>
Date: Wed, 15 Jul 2020 22:29:46 +0100
Content-language: en-GB
Delivered-to: dclug@xxxxxxxxxxxxxxxxxxxxx
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=dcglug.org.uk; s=1586423162; h=Sender:Content-Type: Content-Transfer-Encoding:Reply-To:List-Subscribe:List-Help:List-Post: List-Unsubscribe:List-Id:Subject:In-Reply-To:MIME-Version:Date:Message-ID: From:References:To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner:List-Archive; bh=E3KSnrimmZs//RfKCYVWM3fpSOZ+FRobVtw8HEr7nfY=; b=wbLvZJWpyK93eGU3Llj/DlgZu lCwyo1ShX6PbMgjy2GwV4SNmlYsynGDsUdMv26UyOzrMQn9BzDG6x7fHvCdZrcgUFf2WgepzeU3G5 OYIMBJLh0ed3dxo3Rm7CD9U4Bip8vuLu/C4aVzgTTLhoHLYBCNOqFUHTctWzPLa8sL2Pc=;


On 15/07/2020 21:18, comrade meowski wrote:

On 15/07/2020 19:33, rich@xxxxxxxxxxx wrote:
So should we stop it and is that possible please?
It's a critical part of your operating system's design andfunctionality set - for a normal end user, this is definitely notsomething you should worry about. Xorg (and Wayland) both implementthis and it's a feature, not a bug.
The first casualty of disabling it would be your password manager andthings would only get worse from there.
The old method of dealing with this (for the paranoid, like me) is toinstall a clipboard manager with various privacy options availablesuch as one that stores multiple copy buffers by moving them into it'sown secured storage unreachable by - for example - web browserclipboard APIs and also repeatedly zeroes out any current "main"clipboard buffer content periodically.
This isn't a new problem by any stretch of the imagination - if youexamine the options in your password manager tool(s) you'll see mostof them implement a delayed wipe of your clipboard buffer so as toavoid leaving sensitive information effectively visible to anythingthat requests it. Obviously this is so they can work in the firstplace (by utilising the clipboard to temporarily store yourusername+password combos on route to the browser) but also don't justleave the info in the buffer for the next craptastic app that asks forit.
One for you to file under "don't worry about it" basically.

This reminds me of when Warwick University computer services labs, firstrolled out their X-terms to students, it wasn't long before everyone,working an X server from multiple terminals found out that they couldcontrol all the input systems (mice and keyboards) that were running offlily.csv.warwick.ac.uk, and before long the sysadmins closed down thelabs, fixed the problems and re-opened them.

(Read in to this: it is how you configure your system that causes it tohave a security issue, not the system itself, the system has no conceptof security, you do.).



--
Giles Coochey


--
The Mailing List for the Devon & Cornwall LUG
https://mailman.dcglug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq

References:
- Re: [LUG] Possible browser security problem
  - From: rich
- Re: [LUG] Possible browser security problem
  - From: comrade meowski

Prev by Date: Re: [LUG] Linux Mint 20 and autofs [trying to mount NFS shares on NAS]
Next by Date: Re: [LUG] Linux Mint 20 and autofs [trying to mount NFS shares on NAS]
Previous by thread: Re: [LUG] Possible browser security problem
Next by thread: Re: [LUG] Possible browser security problem
Index(es):
- Date
- Thread