zlacker

[parent] [thread] 5 comments
1. virapt+(OP)[view] [source] 2012-09-04 01:47:37
I think you're missing the context here. This system is not about UI. It's not about desktop experience either. It's about making sure your email client is so separated from your $BUSINESS_APPLICATION, that exploiting one does not allow you to access anything on the other - and doing that without relying on handcrafted libvirt configs and hopefully without much processing overhead.

I guess the desktop environment was just a random choice of "this works, so just leave it in" from whatever distribution they started with.

replies(2): >>ericho+x >>mike-c+ui
2. ericho+x[view] [source] 2012-09-04 02:03:49
>>virapt+(OP)
That already exists: it's called a web browser.

Granted, browsers aren't without their security holes, but then again, neither are operating systems. Given the amount of effort being put into browsers to make them secure (especially Chrome), my money's on that.

replies(2): >>virapt+vg >>mike-c+Xi
◧◩
3. virapt+vg[view] [source] [discussion] 2012-09-04 08:45:24
>>ericho+x
That's exactly why this system goes further. In a browser, it's usually enough to exploit the browser's chrome to get to other sites. Or exploit the browser's binary to get to other apps.

This system goes at least 2 layers deeper. System itself makes sure that each window has its own desktop environment and can't see others. Hardware takes care about the separation between security containers the apps are running in. Protection of the app itself is just the first line of defence and is not going away, so whatever sandboxing exists in the browser still applies.

They are also talking about protecting hardware sharing from being used to cross boundaries which is another layer of paranoia (not unwarranted)

4. mike-c+ui[view] [source] 2012-09-04 09:46:12
>>virapt+(OP)
This is what AppArmor and SELinux are for.
replies(1): >>virapt+Pi
◧◩
5. virapt+Pi[view] [source] [discussion] 2012-09-04 09:57:59
>>mike-c+ui
In many cases yes, but there are additional issues Qubes is taking care of. For example AppArmor could only restrict your access to Xorg completely - but once you have access, you can read anything from the screen.
◧◩
6. mike-c+Xi[view] [source] [discussion] 2012-09-04 10:04:53
>>ericho+x
Websites aren't sufficiently sandboxed from each other though. Otherwise we wouldn't have CSRF, XSS and Click Jacking attacks.

If you build a webmail client, you need to know all about these attack vectors, and you need to go out of your way to prevent your application from being susceptible to them. Websites are insecure by default.

I don't trust a web browser with my email at all. Not yet. If I were to use webmail, I'd make sure to set up a separate instance of Firefox to run it in, with it's own profile. I will continue to use Thunderbird for now though.

I'm not against the idea of using webmail, I just don't think the web is secure enough yet.

[go to top]