undefined | Better HN

0 pointspfg10y ago0 comments

You can't read loopback as a normal user. If you have root, you don't need to read unencrypted loopback traffic to get the passwords - just use a key logger.

0 comments

LukaAl10y ago

Fair enough... or not!

First of all, when assessing security of a solution you have to define the perimeter of attack. You could imagine a privilege escalation that gives you access to the loopback interface but not enough to install a key-logger.

In other words, you are making an assumption that could be wrong!

Second, I could agree that perfect safety against every attack is impossible unless you assume your machine is switched off. But reasonable safety measure is achievable at low cost. Diffie and Hellman won the Turing price yesterday and their work is almost 40 years old...

pfgOP10y ago

> You could imagine a privilege escalation that gives you access to the loopback interface but not enough to install a key-logger.

That's a weird thing to say. If you manage to bypass file system access rules, there's any number of ways you can get access to the password manager.

I'm not convinced that any measure 1Password could take to make this harder would amount to more than mere obfuscation, with the cost of additional complexity (and attack surface).

j / k navigate · click thread line to collapse