Hi, 2012/9/25 Pekka Paalanen <[email protected]>: > On Tue, 25 Sep 2012 01:46:37 +0200 > Piotr Rak <[email protected]> wrote: > >> Hi, >> >> Although I am not security expert, I'd like to share my input into >> this topic, so putting on my black hat... >> >> It is probably not great discovery, but I believe that minimal >> requirement for given combination of keys, to be allowed as global >> shortcut is that is not printable and not whitespace given currently >> selected keyboard layout. Such combination should never be delivered >> to application, that doesn't have active keyboard focus. >> >> Two major reasons of that: >> >> - security: reason is rather trivial, those may contain data, that >> can be considered sensitive, like credit card number password, or >> whatever. I can't imagine other sequences be consider sensitive >> (beside SAK which is special in its way). >> - usability: I really wouldn't be happy, if some app *steals* >> character that I type in does something fancy, changing my online >> presence to available any time I type in AltGr+A - ("a with ogonek" in >> polish programmer's layout) for example... >> >> It seems impossible ban key sequences for all possible keyboard layout >> configs, considering that it's not that hard write own, so it seems >> wise do this check at runtime. >> I don't think that user will be very surprised by fact that shortcut >> being dropped silently with changed layout. They may be, but for sure >> not while typing url, texting, or editing text... >> >> It also doesn't sound that terribly complicated to put words in code >> (given XKB shares enough info, and decent enough isprint for unicode >> is somewhere out there, which I haven't checked). >> >> I don't see possible attack vector in allowing applications to check >> if given sequence is available for them now or notification about >> layout change, but possibly I am not creative enough. >> >> @Semantic approach idea suggested during XDC "Security": >> >> It sounds interesting, but it seems to be still leaving at least minor >> attack vector, unless above requirement is met too. >> >> Let's imagine that compositor Y becomes most popular compositor, or >> even better, most of compositors use some library for their semantic >> binding handling. It (compositor or library) is shipped usable enough >> configuration for keys and their actions - (that's ofc one of reasons >> that it is so popular :->). Now, most users or distros developers >> won't be tempted to change this config - people are lazy, and that's >> why civilization can progress at all :). >> If I want sniff their input - I have knowledge what this semantic word >> use for sniffing given sequence, using knowledge of default >> configuration. >> >> That's just tiny bit harder, won't work in 100%, but hey, I am not >> that greedy - just few passwords will do just fine; I don't have to >> get them all, right? Bah, even parts of passwords can be helpful, and >> cut loads of work I imagine. >> >> What would make that potential attack even sweeter - *flaw* is shipped >> by default. :-) >> > > Hi Piotr, > > it sounds like you make a fundamental assumption on something, that > makes global shortcuts insecure, and so you set out to solve these > problems. > > What is it that you assume? > What is the root of the problems? > What are the problems you are trying to solve? >
I should have state this more clearly, but the problem is - how to do global shortcuts in application in secure way. The issue was raised during XDC. Video of talk can be watched online http://www.youtube.com/watch?v=hJpiJii44oo&feature=relmfu - discussion about wayland input handling starts around 23:30s. Those are my thoughts/comments after watching it, on one questions that was left open there. > Sorry, but I just couldn't understand anything you wrote. Hope that explaination is sufficient. > > Thanks, > pq _______________________________________________ wayland-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/wayland-devel
