From: Ted Zlatanov <tzz@lifelogs.com>
To: <ding@gnus.org>
Subject: Re: Password protection
Date: Tue, 28 Sep 2010 09:47:33 -0500 [thread overview]
Message-ID: <87sk0t3oxm.fsf@lifelogs.com> (raw)
In-Reply-To: <m31v8ec5pm.fsf@quimbies.gnus.org> (Lars Magne Ingebrigtsen's message of "Tue, 28 Sep 2010 16:17:57 +0200")
On Tue, 28 Sep 2010 16:17:57 +0200 Lars Magne Ingebrigtsen <larsi@gnus.org> wrote:
LMI> I find it sort of puzzling that we have to jump through all these hoops
LMI> to get at credentials. I mean, Firefox users don't have to set up a gpg
LMI> agent or type their passwords a gazillion times, so why should users?
Look at it the other way: why shouldn't they set up a GPG agent or enter
a passphrase? (assuming that entering the passphrase more than once is
a bug I plan to fix)
With the Secrets API they don't need even that much (you should really
try it), but there's a baseline of "I am authorized to open a secure
file." By comparison, Chrome and Firefox store passwords in a format
that's pretty easy to decrypt and only requires reading files (e.g. see
http://www.blogsdna.com/12040/how-to-recover-stored-google-chrome-passwords.htm)
The user can always set up an unencrypted file if he doesn't like
encryption.
So I'd argue that Emacs has, practically speaking, better security
*externally* than Firefox, Chrome, or most other web browsers with a
authinfo.gpg file. Now from the inside, yes, it's a candy store of
passwords, and that's a concern. But Doing It Right requires a lot of
infrastructure that Emacs Lisp doesn't have. And Firefox and Chrome
extensions can get at your passwords too AFAIK.
LMI> So here's my thought: If there was a C-level function that would slurp
LMI> in your ~/.authinfo.gpg data, and then let you use it, but without
LMI> actually ever letting a Lisp-level function see the passwords --
LMI> wouldn't that be nice?
LMI> Here's how I see it working:
LMI> 1) Gnus calls (authinfo-store-tokens "~/.authinfo.gpg"), and the user is
LMI> (probably) prompted for a password.
LMI> 2) The data is stored in the C layer, probably obfuscated in some way.
LMI> 3) A new C function is added:
LMI> (process-send-auth process "LOGIN larsi %p\n\r"
LMI> '((:hosts ("imap.gmail.com"))
LMI> (:ports ("imaps" "imap" 443))
LMI> (:user ("larsi"))))
LMI> This function would then work just like `process-send-string', only that
LMI> it roots out the first matching password from the auth info first, and
LMI> expand the string sent.
LMI> That way the Lisp application layer will never actually see the
LMI> password, but it will be able to control what's otherwise being sent,
LMI> and what credentials to use in a flexible manner.
You're basically describing the Secrets API, which does this over D-Bus,
allows saving a password, and has many other features. So we could have
(auth-source-upload-secrets "authinfo.gpg") to do (1) differentially or
as an overwrite and then (2) and (3) would Just Work persistently.
Ted
next prev parent reply other threads:[~2010-09-28 14:47 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-09-28 14:17 Lars Magne Ingebrigtsen
2010-09-28 14:43 ` Richard Riley
2010-09-29 14:01 ` Lars Magne Ingebrigtsen
2010-09-28 14:46 ` Julien Danjou
2010-09-28 14:50 ` Ted Zlatanov
2010-09-29 14:04 ` Lars Magne Ingebrigtsen
2010-09-28 14:47 ` Ted Zlatanov [this message]
2010-09-29 14:07 ` Lars Magne Ingebrigtsen
2010-09-29 16:56 ` Charles Philip Chan
2010-09-29 17:15 ` Ted Zlatanov
2010-09-29 19:27 ` Lars Magne Ingebrigtsen
2010-09-29 19:51 ` Ted Zlatanov
2010-09-29 20:35 ` Michael Albinus
2010-09-29 20:58 ` Ted Zlatanov
2010-09-30 3:32 ` Michael Albinus
2010-09-30 15:46 ` Ted Zlatanov
2010-09-30 17:19 ` Michael Albinus
2010-09-30 16:25 ` Lars Magne Ingebrigtsen
2010-09-30 16:43 ` Ted Zlatanov
2010-09-30 16:47 ` Lars Magne Ingebrigtsen
2010-09-30 17:07 ` Ted Zlatanov
2010-09-30 17:17 ` Lars Magne Ingebrigtsen
2010-09-30 17:45 ` Ted Zlatanov
2010-09-30 17:51 ` Lars Magne Ingebrigtsen
2010-09-30 19:11 ` Michael Albinus
2010-09-30 17:13 ` Michael Albinus
2010-09-30 17:16 ` Michael Albinus
2010-09-29 21:38 ` Lars Magne Ingebrigtsen
2011-02-25 22:18 ` Ted Zlatanov
2011-03-05 11:53 ` Lars Magne Ingebrigtsen
2011-03-07 17:27 ` Ted Zlatanov
2010-09-28 15:02 ` David Engster
2010-09-29 2:28 ` Daniel Pittman
2010-09-29 4:39 ` Richard Riley
2010-09-29 5:58 ` Daniel Pittman
2010-09-29 6:42 ` Richard Riley
2010-09-29 8:54 ` Gijs Hillenius
2010-09-29 9:07 ` Richard Riley
2010-09-29 10:23 ` Gijs Hillenius
2010-09-29 9:51 ` Tassilo Horn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87sk0t3oxm.fsf@lifelogs.com \
--to=tzz@lifelogs.com \
--cc=ding@gnus.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).