Re: Scary Stuff!
Re: Scary Stuff!
- Subject: Re: Scary Stuff!
- From: Doug Hill <email@hidden>
- Date: Wed, 17 Jun 2015 14:47:36 -0700
> On Jun 17, 2015, at 2:07 PM, Jens Alfke <email@hidden> wrote:
>
>> On Jun 17, 2015, at 1:17 PM, Doug Hill <email@hidden <mailto:email@hidden>> wrote:
>>
>> For most of the security problems, you could rewrite your app to opt-out of the insecure APIs, system services, etc. and use your own implementation. (see Google Chrome not storing passwords in the Keychain anymore)
>
> Does it? I’m using Chrome on Mac OS and it uses the Keychain. (I just opened Keychain Access and verified that a password I’d added in Chrome this morning shows up there.) Annoyingly, though, it doesn’t recognize Keychain items created by Safari, which means I have to keep looking up passwords in Keychain Access the first time I visit a site in Chrome.
From The Register article:
"Google's Chromium security team was more responsive, and removed keychain integration for Chrome, noting that it could likely not be solved at the application level.”
Take this as you will from a Register article.
> It does sound like there are some best practices that would defeat some of these attacks — like making sure to always create new Keychain items instead of re-using existing ones.
Also to show how hard it is to handle security issues, from the researchers’ paper:
“For Google Gmail, which delete their current keychain items and create new ones before updating their data (sic). Note that this practice (deleting an existing item) is actually discouraged by Apple, which suggests to modify the item instead.”
Even going by Apple’s suggestions it’s hard to get all this right.
Doug
_______________________________________________
Cocoa-dev mailing list (email@hidden)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden