Hacker News new | ask | show | jobs
by jwcrux 4747 days ago
Hi there! Thanks for the great comment. I had a similar one on my blog that I responded to in the following way (I hope it helps!):

"Good question! You're right - in these cases it is assumed malware is already present on the system and running in the context of the user. But there can simply be better protection.

Consider Firefox's use of a Master Password. Even if an attacker is on the otherside of the airtight hatchway, he/she will not get the credentials unless they can find out the password used.

Thanks for the great comment!"
1 comments
mjschultz 4747 days ago
But if there is already malware on the user system, it just needs to wait until the user authenticates once in Firefox to get the master password, then it can fetch all the other passwords. Right?
link
jwcrux 4747 days ago
Absolutely it could. However, the layer of defense provided by a master password is still (so far, seemingly) better than the instantaneous and automatic access to credentials malware could have when extracting credentials from Chrome and IE.

But yes, to answer your question (and to validate the other poster on this thread) - If malware infects your system, you will likely have a bad time.

link
acdha 4747 days ago
I think you're answering in good faith but I find that caveat so overwhelming that it makes the point meaningless: if malware runs locally outside of a sandbox, you're screwed – full stop, end of story.

There are scenarios where master passwords are extremely useful and that's passive file disclosure such as a network home directory, a compromise of another account while you're not logged in, or – particularly relevant these days – a breached cloud sync service. I would make the case for that reason rather than as a malware resistance measure.

The long term fix requires architectural changes: none of the attacks described work directly on Mac OS X because the Keychain decoding happens in the securityd process which runs as root so the malware would trigger a confirmation prompt for each password it tried to pilfer. Unfortunately, this is also less than perfect as most users check the “Always allow” box granting permission to their browser for unprompted access…

link
drivebyacct2 4747 days ago
Yes, precisely. Local running malware = owned, period.
link