From owner-freebsd-security@FreeBSD.ORG  Sat Aug  2 19:17:21 2008
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id E91BE106568E
	for <freebsd-security@freebsd.org>;
	Sat,  2 Aug 2008 19:17:21 +0000 (UTC)
	(envelope-from chris@noncombatant.org)
Received: from strawberry.noncombatant.org (strawberry.noncombatant.org
	[64.142.6.126]) by mx1.freebsd.org (Postfix) with ESMTP id C351C8FC19
	for <freebsd-security@freebsd.org>;
	Sat,  2 Aug 2008 19:17:21 +0000 (UTC)
	(envelope-from chris@noncombatant.org)
Received: from [10.0.0.102] (unknown [64.142.6.126])
	(using TLSv1 with cipher AES128-SHA (128/128 bits))
	(No client certificate requested)
	by strawberry.noncombatant.org (Postfix) with ESMTPSA id 39ED6867092;
	Sat,  2 Aug 2008 12:17:21 -0700 (PDT)
Message-Id: <5D233428-9099-4924-B7F0-3017FD3C3E77@noncombatant.org>
From: Chris Palmer <chris@noncombatant.org>
To: Matt Reimer <mattjreimer@gmail.com>,
	Liste FreeBSD-security <freebsd-security@freebsd.org>
In-Reply-To: <f383264b0807281228t7a20861do2f0c150cb5eb67f3@mail.gmail.com>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v926)
Date: Sat, 2 Aug 2008 12:17:20 -0700
References: <60254.1216921273@critter.freebsd.dk> <4888C882.30707@elischer.org>
	<200807242320.m6ONKPgW007279@apollo.backplane.com>
	<51095.192.168.1.10.1216955905.squirrel@192.168.1.100>
	<20080725045654.GA1572@baranyfelhocske.buza.adamsfamily.xx>
	<f383264b0807281228t7a20861do2f0c150cb5eb67f3@mail.gmail.com>
X-Mailer: Apple Mail (2.926)
Cc: 
Subject: Re: A new kind of security needed
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 02 Aug 2008 19:17:22 -0000

On Jul 28, 2008, at 12:28 PM, Matt Reimer wrote:

> My idea was to basically have a secure file picker that grants the app
> (e.g. Firefox) access to the file, in a way that would be transparent
> to the user. For example, when Firefox wants to save a PDF it displays
> the file picker as usual and the file is saved. Underneath what's
> happening is that Firefox talks to the trusted system filepicker via a
> socket, and depending on the user's input it grants access to the
> file, whether temporarily or permanently.

How can the trusted system filepicker know that it is receiving  
messages from the true Firefox filepicker, and in response to true  
user gestures? (Basically, it can't.) Microsoft had to deal with this  
problem; see e.g. http://en.wikipedia.org/wiki/User_Account_Control.