| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 15 Apr 2006 00:38:23 -0400 From: "Eliah Kagan" <degeneracypressure@...il.com> To: "franz@...mail.com" <franz@...mail.com> Cc: bugtraq@...urityfocus.com Subject: Re: Firefox 1.5.0.1 Password Manager Arbtirary User Browsing History Disclosure > I guess when he uninstalled Firefox > originally, it wasn't a completely clean uninstall. That's the only > explanation since we couldn't duplicate my reported bug as easily as > we thought. I think that what this comes down to is that when you uninstall Firefox (or Mozilla), it doesn't prompt you with the option to remove all user data. That would eliminate the privacy concern, wouldn't it? To play the devil's advocate, is this a privacy problem at all? Joe installs software as Mary, creates user data, and uninstalls the software. Mary then installs compatible software which reads the old user data. So Mary knows about what was done under her user account--is that bad? Joe should have no expectation that Mary will not find out about what he does when logged on as her. Arguably, Mary's ability to know what her own user account has been used to do constitutes command of her own information and is a boon to Mary's privacy. On the one hand, software should preserve the privacy of all users, even dumb ones. On the other hand, if you're not going to use multiple user accounts, you can hardly expect to enjoy the benefits of privilege separation. -Eliah
Powered by blists - more mailing lists