undefined | Better HN

0 pointsSomeone12348y ago0 comments

If that's the case that's a choice Google made. Windows via the CryptProtectData API[0] allows you to protect data via the user's session just like the Gnome Keyring/KDE Wallet.

But as you pointed out, another process with the same privileges can decrypt it making it pretty pointless in both cases. Only way to securely do it is to prompt the user for a decryption key each time they open the browser which has usability issues but Firefox offers it via the Master Password functionality.

[0] https://msdn.microsoft.com/en-us/library/windows/desktop/aa3...

0 comments

exabrial8y ago

So Windows doesn't have an equivalent of OSX Keychain, where an item can have a per-application ACL? [or I have misunderstood the OSX Keychain]

HHad38y ago

Correct, Windows does not have per-application identities that could be used with a keychain service. Furthermore, every application in your Windows session (unless sandboxed) has access to virtual memory of other applications in the same session.

On macOS, applications address spaces are isolated and code signing certificates are used for identifying application requests to the keychain.

j / k navigate · click thread line to collapse