> On 2016-08-30 01:16,
johny...@sigaint.org wrote:
>> Say someone compromises the dom0 encrypted drive password, and
>> then goes shuffling through the private.img file of the AppVM's to
>> get at Firefox's passwords...? The VM itself wouldn't have to be
>> running corrupt code for that, and keeping the passwords out of
>> Firefox prevents that attack.
>>
>> (Firefox's master password could also help prevent such attack, I
>> guess. Is strong crypto used for that? It's still a single point
>> of failure, but so is the keepass master password. At least with
>> keyfiles and physically taking the device with me, that keepass
>> single point of failure is mitigated.)
>>
>
> Qubes is designed with the assumption that if dom0 is compromised, the
> whole system is compromised. So, from a "standard" Qubes perspective,
> it doesn't really make sense to talk about protecting Firefox
> passwords when dom0 is assumed to be compromised. If your threat model
> differs significantly from this assumption, then you may need to
> specify it in more detail.
Understood. I think most of my security violations in the past were done
remotely, and with dom0 having no networking, that risk is quite low.
There have been occasions where I suspected physical access and a
keylogger/camera, however.
Notwithstanding "dom0 is compromised and you're screwed," there is one
threat model where Firefox passwords are less safe, possibly:
With a hardware keylogger or an over-the-shoulder-camera, one can glom the
root disk password (and any Firefox master password). Then when you're
out (or via a network card management mode, BIOS trojan, whatever) get
into the system, go through the .img files to find the Firefox passwords.
All of your online passwords are revealed at that point.
If the passwords only existed in keepass on a removable USB drive, then
they're safely with you. Even if that keylogger grabbed your keepass
password, it's no good to any attacker. And the passwords have never been
typed, so any keylogger/camera doesn't have them.
Yes, an attacker who gets into the system could at that point plant
trojans, but if you have in place other intrusion detection mechanisms
(not necessarily just on the computer) you can be aware of that fact, and
redo the system from a backup. Your computer may be toast, but your email
and online world is still safe.
I guess if you never typed your Firefox master password, but used keepass
for it, too, and assuming Firefox's password storage is strongly
encrypted, then your passwords are still pretty safe in case of a dom0
violation. Whenever you start stacking "if's" like that, though, I start
feeling less secure. :)
I do know the passwords can't be stolen if they're not on the system and
have never been typed, short of the system already having been
compromised. I don't know enough about Firefox's master password
encryption to trust it 100%. Faulty assumptions have cost me dearly in
the past, so I try to make as few as possible these days.
> P.S. - Please keep the list CCed (unless there's a special need for
> privacy, in which case, use PGP).
I definitely will share the results with the group. There's won't be
anything in the setup whose revelation would reduce my own security. :)
But I appreciate the sensitivity.
Apologies. I'll be more careful cleaning up the To/Cc on mailing list
replies in the future. sigaint was truncating the field, and I neglected
to notice (until the bounce).
Hey, at least I'm not still top posting. :)
JJ