Aug. 7, 2013, 6 p.m.
IT | Rants

Chrome's security issues are real

There has been much talk about Chrome's way of storing passwords for web forms.

Some people argue both sides. I have my personal opinion on the matter though. And it is not very complicated.

Security is not an on/off switch. Security is not an all or nothing concept. It consists of layers, with varying degrees of importance. Just as the threat is not a singular black/white threat - it is a large grey scale of potential attack vectors.

Lets discuss the latter first. Who do you want to protect your passwords from?
1. NSA?
2. Your boss?
3. Your spouse / child / friends?

Most people do not ever need to worry about governments accessing their data - simply because we do not store anything that is valuable enough to warrant time and energy to crack, presuming we are honest people. Public communication such as email and web traffic are by definition compromised - I am not including that here. I am talking about secrets stored on your local computer, which you have some degree of control over.

So we worry about bosses and family. Unless you work for a IT security company or high profile Fortune 500 company your boss will most likely not know how to crack proper security such as AES etc. Neither will your family. But they will know how to guess a password such as your date of birth or cat's name. They do know how to get access to your computer - your boss most likely owns the hardware and your family usually do have physical access. So the reasoning that your OS password is your only protection point is moot. In theory that is a good idea - in practise it does not work that way. We allow family to work on our accounts, we cannot stop our boss from logging in as the administrator and viewing our files. So what to do?

Google suggests you can do nothing, and therefore - to emphasize that you are helpless, they do not even pretend to secure your web site passwords. For that I agree with their implementation - it is in alignment with their philosophy. Where I do disagree is their philosophy. As I have just explained, there are LOTS of reasons why we would like to protect stuff when we assume other people have physical access to our accounts. And here is the news flash - there have been work done in this area for many decades now to solve that problem. It is called encryption. Using something like PGP, BestCrypt, 1Password etc. does exactly that - it presumes that the attacker has full access to your file being protected. Public key encryption even assumes everyone has access to your public key. Even if they have access to your private key it is still hard to crack it. Your boss will most likely not be able to do so. Neither will your family.

So we have some documents that nobody should read. Done correctly you store your private key on a USB stick. Until someone figures out how to break AES (not likely anytime soon), your encrypted documents are safe even if the attacker can copy them and try to launch offline attacks (naturally presuming you have a strong password and no weaknesses in the algorithm's implementation).

Why not do the same for web form passwords? That is what 1Password does. One master password to lock all passwords. Sure, depending on how you use it you could leave your system vulnerable. If you do not have 1Password set to auto lock, anyone can gain access to your passwords via View Source etc. However you have a choice. You can manually lock the keychain before passing over your machine to your spouse. You have control over the process. You are not forced to create multiple user accounts.

Just like I cannot prevent my family from entering my house (presuming it is close family and they live with me), even though I have a strong lock on the front door, I cannot always prevent other people from accessing my account. But when they do, I still want to have the ability to choose what they can access. That is why I have a safe in the house. I lock away things not meant for other people even after they have crossed the security boundary that is my front door. Why do you think Mac OS X asks for re-authentication when you want to change some security settings or install an application even though you are already logged in? Same reason.