Bug 700057 – Password Request Dialog has multiple security issues

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 700057 - Password Request Dialog has multiple security issues


Summary:	Password Request Dialog has multiple security issues


Status:	RESOLVED DUPLICATE of bug 688434

Product:	gnome-shell
Classification:	Core
Component:	general
Version:	unspecified
Hardware:	Other All

Importance:	Normal major
Target Milestone:	---
Assigned To:	gnome-shell-maint
QA Contact:	gnome-shell-maint

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2013-05-10 10:28 UTC by Alexánder Alzate
Modified:	2013-05-12 21:39 UTC

See Also:	596260
GNOME target:	---
GNOME version:	---

Description Alexánder Alzate 2013-05-10 10:28:50 UTC

basically there are 3 issues:

At first, when you are requested for a password you are not able to know which application is sending the request. This is very important because some virus or spyware or anything related could request the password.

Other issue is that the dialog blocks the screen, so you can't use your password manager to get your pass. This is very annoying, cause if you don't know your password you are not able to "unlock" the application that triggers the dialog. e.g, when evolution apply for your email password. And thinking in security, blocking the screens, in this case, assumes and promotes to not use a password manager.

And finally, and could be less important, is that you are not able to unlock later, maybe you need investigate, for security reason, why the application is asking for your password.

I don't know if it is relevant, but I use KeePassX to store my passwords.

Some related texts or bugs:
- https://live.gnome.org/GnomeOS/Design/Whiteboards/AuthorizationDialog
- https://live.gnome.org/GnomeShell/Design/Whiteboards/KeyringDialog
- https://bugzilla.gnome.org/show_bug.cgi?id=596260

I hope to have been clear, because I'm not and English speaker so... you know, :P; if not, please ask me and I will tray to explain better.

Comment 1 Milan Bouchet-Valat 2013-05-10 12:50:42 UTC

For the first issue, see bug 688351.

For the secon done: the current design promotes the use of a password manager, but... GNOME's password manager, i.e. gnome-keyring/Seahorse. See bug 688434.

About the third one: I'm not sure what you mean, these dialogs should only be shown in response to user action, so you know what the dialog is for. Also, applications should always work if you cancel the auth dialog and retry later. If any of these assumptions are not respected, file a bug against the application.

*** This bug has been marked as a duplicate of bug 688434 ***

Comment 2 Alexánder Alzate 2013-05-12 21:39:06 UTC

(In reply to comment #1)
 
> For the secon done: the current design promotes the use of a password manager,
> but... GNOME's password manager, i.e. gnome-keyring/Seahorse. See bug 688434.

Not at all, because the screen is locked, so you can't open the Seahorse and use your password, you MUST to know the password, and I was talking about that behaviour, not about Gnome.

Quoted:
"_in_ _this_ _case_, assumes and promotes to not use a password manager."