Comment on global shortcuts security
Pekka Paalanen
ppaalanen at gmail.com
Tue Sep 25 01:55:28 PDT 2012
On Tue, 25 Sep 2012 01:46:37 +0200
Piotr Rak <piotr.rak at gmail.com> wrote:
> Hi,
>
> Although I am not security expert, I'd like to share my input into
> this topic, so putting on my black hat...
>
> It is probably not great discovery, but I believe that minimal
> requirement for given combination of keys, to be allowed as global
> shortcut is that is not printable and not whitespace given currently
> selected keyboard layout. Such combination should never be delivered
> to application, that doesn't have active keyboard focus.
>
> Two major reasons of that:
>
> - security: reason is rather trivial, those may contain data, that
> can be considered sensitive, like credit card number password, or
> whatever. I can't imagine other sequences be consider sensitive
> (beside SAK which is special in its way).
> - usability: I really wouldn't be happy, if some app *steals*
> character that I type in does something fancy, changing my online
> presence to available any time I type in AltGr+A - ("a with ogonek" in
> polish programmer's layout) for example...
>
> It seems impossible ban key sequences for all possible keyboard layout
> configs, considering that it's not that hard write own, so it seems
> wise do this check at runtime.
> I don't think that user will be very surprised by fact that shortcut
> being dropped silently with changed layout. They may be, but for sure
> not while typing url, texting, or editing text...
>
> It also doesn't sound that terribly complicated to put words in code
> (given XKB shares enough info, and decent enough isprint for unicode
> is somewhere out there, which I haven't checked).
>
> I don't see possible attack vector in allowing applications to check
> if given sequence is available for them now or notification about
> layout change, but possibly I am not creative enough.
>
> @Semantic approach idea suggested during XDC "Security":
>
> It sounds interesting, but it seems to be still leaving at least minor
> attack vector, unless above requirement is met too.
>
> Let's imagine that compositor Y becomes most popular compositor, or
> even better, most of compositors use some library for their semantic
> binding handling. It (compositor or library) is shipped usable enough
> configuration for keys and their actions - (that's ofc one of reasons
> that it is so popular :->). Now, most users or distros developers
> won't be tempted to change this config - people are lazy, and that's
> why civilization can progress at all :).
> If I want sniff their input - I have knowledge what this semantic word
> use for sniffing given sequence, using knowledge of default
> configuration.
>
> That's just tiny bit harder, won't work in 100%, but hey, I am not
> that greedy - just few passwords will do just fine; I don't have to
> get them all, right? Bah, even parts of passwords can be helpful, and
> cut loads of work I imagine.
>
> What would make that potential attack even sweeter - *flaw* is shipped
> by default. :-)
>
Hi Piotr,
it sounds like you make a fundamental assumption on something, that
makes global shortcuts insecure, and so you set out to solve these
problems.
What is it that you assume?
What is the root of the problems?
What are the problems you are trying to solve?
Sorry, but I just couldn't understand anything you wrote.
Thanks,
pq
More information about the wayland-devel
mailing list