Authorized clients

Thu Jan 9 11:52:30 PST 2014

Le 09/01/2014 20:25, Bill Spitzak a écrit :
> Martin Peres wrote:
>
>> We don't need to trust the client much if we limit the number of 
>> screenshots to 1. This way, the worse thing that could happen for 
>> your privacy would be if your cat sits on the keyboard and presses 
>> "print screen" all the time while you key in sensitive information 
>> (unlikely, right?), even if the app just
>>
>> This is not true. The server can refuse to feed the application with 
>> more than one screenshot. This severely restricts the possibilities 
>> of using this feature to spy on what a user is doing.
>
> I just don't believe this is going to work.
>
> Screenshot applications I have seen are triggered by a key, yes, but 
> all of them then show the initial screenshot to the user and then 
> allow the user to change parameters and make a second screenshot. I 
> suppose restricting the ui so that the user must hit the same key to 
> trigger a second screenshot may work, but I am very worried about any 
> scheme that forces ui decisions on clients.

Yes, X11-style screenshot apps won't work but this is for a good reason, 
isn't it? And as far as I know, most users on Windows do not use any 
application for screenshots, they just press "print screen" and paste 
that in paint/whatever.

With my proposed solution, the app would only be used to edit the 
screenshot (crop, resize). Different hot keys would be used depending on 
if you want to grab a window, a screen or all the screens. Is that that 
difficult onto users? Any other solution will result in lost 
confidentiality and, please, let wayland compositors be the only ones 
that cannot be spied on easily!
>
> Another concern is that a malware screenshooter could just fake 
> it(maybe copying an old screenshot) and then delay until the critical 
> time to take the screenshot. A timeout or cancel after too many other 
> surfaces are created/destroyed may work but this is sounding like 
> complexity to solve a pretty non-existent problem.

Pressing another time would spawn another program, not increment a 
counter of "allowed screenshots".
>
>> The video capture API concerns me more.
>
> But on Windows most fancy screenshooter applications do both. And 
> users do not think of these as being different.

Users do not think them as being different because that's what they 
learnt. Should we keep on doing the same mistakes and carry than legacy 
thinking? Should we loose confidentiality just for the fringe amount of 
users who want a common GUI for screenshooters across all wayland 
compositors? You know my answer...

> I think you just have to assume that the bound application is "good" 
> and is doing what the user wants, even if it can take numerous 
> screenshots or opens the video api.
No constant access control == no security. Clients should never be 
trusted. I trust the server because it is the one implementing the 
service, but that's it.

I'm not trying to be mean or anything, I'm just trying to map some 
expected requirements with what can be done. The only thing that 
concerns me is to find the solution that lowers the confidentiality risk 
while still being as usable as possible.