- From: Ian Hickson <ian@hixie.ch>
- Date: Fri, 16 Aug 2013 03:54:43 +0000 (UTC)
- To: Tim Berners-Lee <timbl@w3.org>
- cc: www-archive@w3.org
On Thu, 15 Aug 2013, Tim Berners-Lee wrote: > > Only Chrome, AFAIK. FF, Safari both ask for a password. Firefox doesn't ask for a password for >90% of users. Chrome, IE, and Safari all use the OS system password service. I don't understand what you think is the difference between the browsers here. > The attack is by colleauges, members of family, etc, not by hardened black hats. In all cases, if you have access to the machine, all it takes is trivial software that's widely available to snoop on anyone else using the machine. Or, even without such software, you can just go to the relevant site, have the browser automatically log you in, and you don't even need the password (and you can grab the password using a trivial bookmarklet or using the browser's built-in tools). Fundamentally, if you have physical access to the machine, asking for an additional password doesn't do anything to stop you. In all cases, the passwords are available unprotected if you are logged in. (Indeed, with Firefox, which doesn't use the system password service as I understand it, the passwords aren't even encrypted.) If you don't trust your colleagues or family members to not snoop on you, you _really_ shouldn't be giving them access to your computer. It doesn't take a "hardened black hat". The software you need to do this kind of thing is widely available online, and one's sister would have no trouble finding it. Pretending that you have protected the system by asking for an unnecessary password doesn't improve security, it's just security theatre. Indeed, it is probably counter-productive: it makes the user think it's safer to hand the machine to someone else than it actually is. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Friday, 16 August 2013 03:55:05 UTC