Hacker News new | ask | show | jobs
by tptacek 4695 days ago
Yes, degree of difficulty matters. We don't disagree on that. It's the fundamental rule of security.

What we disagree on is the specific degree in this case. You think it's significant. I know it's not. Chrome's security design is denominated in thousands of dollars. This is a penny feature, and one with potential liabilities; it could cost more than it benefits.
2 comments
astalwick 4695 days ago
With the feature, I can explain to my mom, my girlfriend, my sister how to steal passwords from any chrome browser. In a way that they will remember and be able to repeat tomorrow.

Without it, I can't.

That matters.

link
tptacek 4695 days ago
I am not interested in security features that work only against my mom, and you shouldn't be interested in them either.
link
astalwick 4695 days ago
So, but, really: I am interested, as are a lot of other people. Hence the gnashing of teeth.

I'm not thrilled by the security community's black-and-white stance that if it can't stop a defcon attendee, then it's not real security and it's not worth doing.

If my mom can be stopped, and it's simple to stop her, then I really don't get the resistance. 'False sense of security'? Yeah, that ship has already sailed. That's why the Guardian is writing articles like this - people are surprised to learn HOW trivial it is to steal passwords in chrome.

link
tptacek 4695 days ago
You make it sound like that stance is elitist, but it's the opposite: it's our knowledge of how easy it is to get the level of "Defcon Attendee" that motivates us not to implement cosmetic security features.
link
astalwick 4695 days ago
But it's not. Not THAT easy. I'm a developer, with a fair bit of experience, and I'm nowhere near the average defcon attendee. (Unless I'm badly overestimating their abilities).

My mom? She asked a shop owner, two days ago, 'do you have a, uh, online thing? You know, with the pictures?'

And yet, "Mom, experiment: type 'chrome://settings/passwords' in my browser and see how many passwords you can steal in 60 seconds".

link
tptacek 4695 days ago
You are badly overestimating their abilities, for instance by assuming that the typical Defcon attendee can code. We're talking past each other. Just take my word for it that bypassing the proposed "master password" is even easier than I've managed to make it sound.
link
interpol_p 4695 days ago
Can you please explain the potential liabilities for making Chrome work the same way Safari does when attempting to reveal passwords? (I.e., ask for the Keychain password before unmasking.)

To me this would be a great solution and would improve Chrome's user experience. I am unsure why the strong argument against this.

link