Page 3 of 4 FirstFirst 1234 LastLast
Results 21 to 30 of 32

Thread: I Still Can't Get The Chromium Apparmor Profile to work!

  1. #21
    Join Date
    Dec 2011
    Location
    Manchester, UK
    Beans
    356
    Distro
    Ubuntu

    Re: I Still Can't Get The Chromium Apparmor Profile to work!

    Quote Originally Posted by Hungry Man View Post
    You can still be exploited without Javascript/ plugins through text rendering vulnerabilities (rare, but there was one not so long ago.)

    My Chrome profile's working for me, idk
    Possibly, but in the end, the most it's going to end up doing is screwing with my home directory, which is backed up daily. My only concern is passwords, I wonder if there is a program that will encrypt Chrome passwords. And anyway, password-stealing type exploits can't be prevented by apparmor anyway.
    Read my technology blog at: http://penguincampaigner.wordpress.com

  2. #22
    Join Date
    Mar 2011
    Beans
    669

    Re: I Still Can't Get The Chromium Apparmor Profile to work!

    I suggest LastPass, which is what I use.

  3. #23
    Join Date
    Dec 2011
    Location
    Manchester, UK
    Beans
    356
    Distro
    Ubuntu

    Re: I Still Can't Get The Chromium Apparmor Profile to work!

    Quote Originally Posted by Hungry Man View Post
    I suggest LastPass, which is what I use.
    Same. But it's really a cloud based password manager. I can't believe Chrome doesn't have password encryption like Opera and Firefox.
    Read my technology blog at: http://penguincampaigner.wordpress.com

  4. #24
    Join Date
    Mar 2011
    Beans
    669

    Re: I Still Can't Get The Chromium Apparmor Profile to work!

    It does.
    It's encrypted with either your GMail password or your passphrase. On Windows it's encrypted on disk with your Windows Login password and it decrypts when you log in.

    LastPass does all of its encryption locally as well as server side, which is why I use it. It's stored on their servers but even if they're hacked I have absolutely nothing to worry about.

  5. #25
    Join Date
    Dec 2011
    Location
    Manchester, UK
    Beans
    356
    Distro
    Ubuntu

    Re: I Still Can't Get The Chromium Apparmor Profile to work!

    Quote Originally Posted by Hungry Man View Post
    It does.
    It's encrypted with either your GMail password or your passphrase. On Windows it's encrypted on disk with your Windows Login password and it decrypts when you log in.

    LastPass does all of its encryption locally as well as server side, which is why I use it. It's stored on their servers but even if they're hacked I have absolutely nothing to worry about.
    Uhm... Not quite. What you're mentioning is the Account Sign in feature of Chrome, which does indeed only encrypt passwords by default on the server side and can be set to encrypt everything, but not locally on your computer!. This means that if a website were to compromise Chrome, it could potentially steal the passwords, because they are in fact stored in plaintext http://support.google.com/chrome/bin...469&ctx=topic:
    How do I stop syncing to my Google Account, while keeping my bookmarks and other browsing data on my computer?

    You can disconnect your Google Account from Chrome and stop syncing with your computer. By disconnecting your Google Account, you won’t lose the data stored on your computer or in your Google Account. However, any future changes you make on your computer will not be reflected on other computers that you’ve signed in to Chrome on. Learn how to disconnect your Google Account from Chrome
    When you sign in to Chrome and enable sync, Chrome keeps your information secure by using a passphrase to encrypt your synced data. By default, Chrome uses your Google Account password as the passphrase, but you can choose to use a custom encryption passphrase instead. This custom passphrase is stored on your computer and isn’t sent to Google.
    Note: The last bit is also important to notice, because a website can also get your whole account passphrase if you use that and could again decrypt and read everything in your account.

    As for the CryptProtectData API in Windows, that still decrypts it on login (and thus does not protect from web-based threats of password-stealing) and anyway, can't the attacker just look at the Windows password on the computer via Live session, store it, copy the passwords from Chrome, go to another machine, make a Windows VM with the same account details, copy the passwords into Chrome's folder, and voila?
    Last edited by 0011235813; July 14th, 2012 at 08:03 PM.
    Read my technology blog at: http://penguincampaigner.wordpress.com

  6. #26
    Join Date
    Mar 2011
    Beans
    669

    Re: I Still Can't Get The Chromium Apparmor Profile to work!

    http://gregoryszorc.com/blog/2012/04...owser-syncing/

    The default behavior is for Chrome to encrypt your passwords before uploading them to the server.
    Nothing you quoted disagrees with what I've said. In fact, the bit about the passphrase stored on your computer and not their servers enforces that you're the one holding the encryption key and you're the one doing the encryption.

    If your Chrome is compromised and they do gain access to the passwords (they'd have to move to a sandbox that has access to this, the renderer is where you'll find exploits most of the time and it has no read access) the reason it would lhave access is, just as with the Firefox master password, your passwords *have* to be decrypted at some point.

    As for the CryptProtectData API in Windows, that still decrypts it on login (and thus does not protect from web-based threats of password-stealing) and anyway, can't the attacker just look at the Windows password on the computer via Live session, store it, copy the passwords from Chrome, go to another machine, make a Windows VM with the same account details, copy the passwords into Chrome's folder, and voila?
    If they have the password they could simply log into the Windows computer.

    A master password protects only against this attack, really.

  7. #27
    Join Date
    Dec 2011
    Location
    Manchester, UK
    Beans
    356
    Distro
    Ubuntu

    Re: I Still Can't Get The Chromium Apparmor Profile to work!

    Quote Originally Posted by Hungry Man View Post
    http://gregoryszorc.com/blog/2012/04...owser-syncing/



    Nothing you quoted disagrees with what I've said. In fact, the bit about the passphrase stored on your computer and not their servers enforces that you're the one holding the encryption key and you're the one doing the encryption.

    If your Chrome is compromised and they do gain access to the passwords (they'd have to move to a sandbox that has access to this, the renderer is where you'll find exploits most of the time and it has no read access) the reason it would lhave access is, just as with the Firefox master password, your passwords *have* to be decrypted at some point.


    If they have the password they could simply log into the Windows computer.

    A master password protects only against this attack, really.
    Yeah, the whole point I was trying to make isn't that Chrome doesn't encrypt the passwords on the server when you sign in to your account, it's that a JavaScript/plugin/whatever exploit could read the passwords on the machine. For example, let's say I made a site with some malicious JavaScript and I successfully managed to exploit Chromium. I could then tell it to upload ~/.config/chromium/Default/Web Data to ftp://malicious.evil.hacker/your-passwords and hey presto, I could see al the passwords with something like sqliteman.

    Yeah, I didn't think of that. I wonder why they bother with CryptProtectData? It wouldn't help the encrypted passwords if the master password to decrypt them is stored in plain text in c:\windows\system32\configure\sam. Stupid. Stupid.

    EDIT: Sorry, I should have mentioned specifically I was referring to locally stored passwords, I thought it would have been evident when I mentioned files in my /home directory and concern over passwords.
    Last edited by 0011235813; July 14th, 2012 at 10:08 PM.
    Read my technology blog at: http://penguincampaigner.wordpress.com

  8. #28
    Join Date
    Mar 2011
    Beans
    669

    Re: I Still Can't Get The Chromium Apparmor Profile to work!

    For example, let's say I made a site with some malicious JavaScript and I successfully managed to exploit Chromium. I could then tell it to upload ~/.config/chromium/Default/Web Data to ftp://malicious.evil.hacker/your-passwords and hey presto, I could see al the passwords with something like sqliteman.
    Not really. If it were a Java exploit sure. But a Javascript exploit will be held in the JAvascript sandbox, which on Windows runs at Untrusted integrity. That means it has no read/ write access.

    I wonder why they bother with CryptProtectData
    Because without your Windows ID password they can't get in unless I'm missing something.

    Although there might be a way around that if it's stored in plaintext.

    Either way, I suggest LAstPass lol

  9. #29
    Join Date
    Dec 2011
    Location
    Manchester, UK
    Beans
    356
    Distro
    Ubuntu

    Re: I Still Can't Get The Chromium Apparmor Profile to work!

    Quote Originally Posted by Hungry Man View Post
    Not really. If it were a Java exploit sure. But a Javascript exploit will be held in the JAvascript sandbox, which on Windows runs at Untrusted integrity. That means it has no read/ write access.


    Because without your Windows ID password they can't get in unless I'm missing something.

    Although there might be a way around that if it's stored in plaintext.

    Either way, I suggest LAstPass lol
    The scenario was hypothetical of course, but I think the Chrome/Chromium developers are giving their sandbox a little too much credit, treating it as if it were unbreakable and thus being sloppy in other departments like password protection which browsers like Firefox and Opera all employ.


    Not to bash LastPass, but it seems a bit strange that one would require to use a third-party extension to do something as simple as keep your passwords safe
    Read my technology blog at: http://penguincampaigner.wordpress.com

  10. #30
    Join Date
    Mar 2011
    Beans
    669

    Re: I Still Can't Get The Chromium Apparmor Profile to work!

    ACtually the Chromium developers are working on a password management system that's far more ambitious than a simple master password - it's an entire LastPass-type system but with Google's servers.

    It's been in the works for about two months now and it's already showing some features (like password generation.)

    I agree that it would be nice to not have to use a 3rd party extension. But if their new management system works as well we won't have to.

    As for the Chrome sandbox I think the credit is well deserved. Bypassing it on Windows is incredibly difficult - bypassing it on Linux is way harder and, with the proper configuration, really just not feasible for any cost-effective attack (and by "proper configuration" I'm talking about grsecurity kernels with hardened chroots etc on a 3.5 kernel) but, of course, it's not invincible.

    That's not super on topic though. The point is for an attacker to see your password file they need at least one 'hop' to a higher privileged sandbox.

Page 3 of 4 FirstFirst 1234 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •