Passive and active attacks via X11. Is Wayland any better?

Tiago Vignatti tiago.vignatti at
Mon Feb 20 05:28:29 PST 2012

On 02/18/2012 12:07 AM, Joanna Rutkowska wrote:
> The approach with trusted/untrusted apps is far from an optimal solution
> -- just as the world is not black and white, it is also hard to divide
> apps strictly into just two categories: trusted and not trusted. It is
> even difficult to assign 1-dimnesional levels of trust to apps, such as
> in military (confidential, secret, top secret, etc). Consider e.g. the
> following security domains: work, personal, banking -- do you really
> think there is an ordering trust relation between them? I don't think
> so. In fact, the most reasonable solution is that a user wants isolation
> between all of them (which is a special case of a tree-like trust relation).

funny, because Qubes implements exactly the 1-dimensional level policy 
(per domain) for the isolation which you're opposing here. And your 
system is a workaround by nature; it's implementing entirely the 
isolation policy in application level, calling heavy-weighted VMs, and 
breaking the fundamental concept of desktop which is to integrate 
applications, having them interacting each other. Why not make the 
isolation, well _selection_, at windowing system's instead?

> So, back to the example with clipboard -- what a user typically expects
> is that the clipboard allows for (secure) communication between two
> _select_ apps, such as e.g. KeepassX and the Firefox in the example
> above, and is not allowing any other app to steal the clipboard in the
> meantime.

sorry but what's the difference between what you describe here and the 
other, to classify clients as trusted or not?

PS: I like nasty ;)


More information about the wayland-devel mailing list