On 10/06/13 12:34, Daniel Pocock wrote: > a) a web site displaying a "PolicyKit" popup that resembles the wording > of the Debian popup
GNOME Shell does mitigate this by using a distinctive UI for "system-modal dialogs", which makes use of the fact that the Shell is the window compositor in order to dim the rest of the screen: <http://people.gnome.org/~halfline/power-off-dialog.png> That's the "power off" dialog, but PolicyKit prompts are similar. Notice that everything outside the dialog is desaturated and darker than usual. I would hope that web browsers don't have that level of control over the system's appearance (going to full-screen is the closest they could get, and they'd still have to reproduce a darkened form of the entire screen contents somehow). > b) an X window compromise that allows an attacker to display a popup > (although such compromises often give the attacker the ability to > monitor keystrokes and obtain passwords in other ways) I don't know whether a client with X access would be able to emulate a system-modal dialog more closely; it might be able to do tricks with screenshots? As you say, input logging is probably more of a concern here. S -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51b5c2ca.70...@debian.org
