search

Keruspe / GPaste

Clipboard management system
BSD 2-Clause "Simplified" License
773 stars 55 forks source link

Security defaults should be improved #357

Open neg3ntropy opened 3 years ago

neg3ntropy commented 3 years ago

I enjoy gpaste via the gnome extension and I maintain a custom Fedora "spin" for my organization as well as family and friends, where I have GPaste preinstalled and active by default. This issue is constructive criticism from a user about the security/privacy features and default settings. I think they are bad and a bit lacking respectively.

Defaulting to a history size of 100, persisted to disk is really not prudent. Plus, there's no time-based expiration. Most of the time a user would not think about clipboard history and just be glad it's there when they need it. However, unless they went and change the configuration or manually intervened at the right time to protect sensitive data, it is very easy to leave secrets on the computer for a long time.

I would consider a good default to be;

  1. no disk persistence
  2. 10-20 items max (1 page, easy to check)
  3. items expire after 24h

Furthermore the min number of entries setting appears to be 100. I am not sure if the faults lie in the extension or the daemon. Thanks for the consideration.

nudgegoonies commented 3 weeks ago

KeepassXC for example clears the clipboard by default after 10 Seconds so secrets don't stay in the clipboard. Could gpaste react on those events?

attila-lendvai commented 3 weeks ago

not saving the history to disk by default is the absolute minimum as a first and trivial step.

the users themselves should turn this on if they wish.

attila-lendvai commented 3 weeks ago

i opened essentially the same issue before finding this older one. i've closed mine, and i'm copying the description i wrote here:

context

the basic idea of the clipboard is that it's an ephemeral storage, not readable by any app without explicit user action. as such, it often contains passwords and other sensitive information in its regular use. saving the history in clear text increases the attack surface in at least two ways:

  1. boot from a pen drive and steal the clipboard history (from any unencrypted installation, which is still too often the case).
  2. any app that has disk access can steal the passwords, even if it has no access to the clipboard.

request

please set the default value of the Save History setting to disabled to minimise any unintended exposure to these attacks.

attila-lendvai commented 3 weeks ago

KeepassXC for example clears the clipboard by default after 10 Seconds so secrets don't stay in the clipboard. Could gpaste react on those events?

i don't think this is the right direction. a major increase of complexity for little gain.

the long-term fix should be that the clipboard is not readable to any apps without the user's action. either by approving permanent access for an app like gpaste, or by pasting the clipboard contents somewhere. otherwise the clipboard should be an ephemeral and isolated storage that apps can write, but cannot read.