Page 5 of 5 FirstFirst ... 345
Results 41 to 50 of 50

Thread: What is the worst a browser exploit could do in Ubuntu?

  1. #41
    Join Date
    Mar 2011
    Beans
    668

    Re: What is the worst a browser exploit could do in Ubuntu?

    Yeah, most of the information out there is actually related to Qubes because a lot of people refuse to discuss it.

    It solves this by implementing X in a way that should be default - multiple X sessions and isolating user accounts.

  2. #42
    Join Date
    Jan 2012
    Beans
    753

    Re: What is the worst a browser exploit could do in Ubuntu?

    Quote Originally Posted by Hungry Man View Post
    It solves this by implementing X in a way that should be default - multiple X sessions and isolating user accounts.
    Isn't Wayland suppose to do that as well?

  3. #43
    Join Date
    Mar 2011
    Beans
    668

    Re: What is the worst a browser exploit could do in Ubuntu?

    I think Wayland requires root for global hotkeys. I've only ever heard about GUI isolation in it, never seen official documentation.

  4. #44
    Join Date
    Dec 2008
    Location
    Orlando, Fl
    Beans
    455
    Distro
    Kubuntu 12.10 Quantal Quetzal

    Re: What is the worst a browser exploit could do in Ubuntu?

    From a lay mens point of view. Is a minimized application using x session? Also is keepassx perform auto type function or copied to clip board information encrypted?

    If it is then as long as keepassx is the only app open when you put in the master password you would be safe. I mean wouldn't you have to have a malicious app or infected browser open to implement.
    Last edited by BigCityCat; November 19th, 2012 at 05:15 AM.

  5. #45
    Join Date
    Mar 2011
    Beans
    668

    Re: What is the worst a browser exploit could do in Ubuntu?

    A minimized application is using X/ has X access. It's not so much that an application has to be using X so much as it needs to have access to X.

    But yes, you would either need a malicious application with X access or some process with X access would have to have been exploited.

  6. #46
    Join Date
    Dec 2008
    Location
    Orlando, Fl
    Beans
    455
    Distro
    Kubuntu 12.10 Quantal Quetzal

    Re: What is the worst a browser exploit could do in Ubuntu?

    Thanks

    I think just to be safe I will run a dedicated browser with no addons, a clean history and keepassx only... when dealing with sensitive information. Obviously it's probably not an issue but why not.

  7. #47
    Join Date
    Dec 2008
    Location
    Orlando, Fl
    Beans
    455
    Distro
    Kubuntu 12.10 Quantal Quetzal

    Re: What is the worst a browser exploit could do in Ubuntu?

    Quote Originally Posted by Hungry Man View Post
    A minimized application is using X/ has X access. It's not so much that an application has to be using X so much as it needs to have access to X.

    But yes, you would either need a malicious application with X access or some process with X access would have to have been exploited.
    Does the clipboard use x?

  8. #48
    Join Date
    Mar 2011
    Beans
    668

    Re: What is the worst a browser exploit could do in Ubuntu?

    I believe so.

  9. #49
    Join Date
    Dec 2008
    Location
    Orlando, Fl
    Beans
    455
    Distro
    Kubuntu 12.10 Quantal Quetzal

    Re: What is the worst a browser exploit could do in Ubuntu?

    Well under those circumstances an infected app or process could read your master password and any info used with the clipboard provided both were using x at the same time.

    I think the Wayland team is aware of this issue and has plans to try and deal with it. I found this link on the Wayland devel mailing list where the primary developer of Qubes OS has an interesting exchange with a Wayland developer.

    http://comments.gmane.org/gmane.comp...and.devel/1867

    I would be interested in some of you guys take on the Wayland developers response.

  10. #50
    Join Date
    Mar 2011
    Beans
    668

    Re: What is the worst a browser exploit could do in Ubuntu?

    They state "don't give a program session access" but we're talking about exploited programs, so it's different. But they do state that keys aren't broadcasted globally, they're handled by the compositor, which is what I expected them to do.

    I'll finish reading and give a better response later.

Page 5 of 5 FirstFirst ... 345

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •