Tuesday, November 30, 2004

Finding Holes in your Desktop

People who have installed Desktop Google have found something unexpected in their computer – security holes.

Google's not doing anything wrong. Its software is doing exactly what it's supposed to do – finding files. The fault lies with the parts of the operating system that do a bad job of securing files they're supposed to be securing.

First, Web browsers should not store SSL-encrypted pages or pages with personal e-mail. If they do store them, they should at least ask the user first. Second, an encryption program that leaves copies of decrypted files in the cache is poorly designed. Those files are there whether or not GDS searches for them. Third, GDS' ability to search files and Web pages of multiple users on a computer received a lot of press when it was first discovered. This is a complete nonissue. You have to be an administrator on the machine to do this, which gives you access to everyone's files anyway.

People blame Desktop Google for the problems, but that's really only blaming the messenger. The holes would exist, even if Google never had.

The underlying problems would remain: The private Web pages would still be in the browser's cache; the encryption program would still be leaving copies of the plain-text files in the operating system's cache; and the administrator could still eavesdrop on anyone's computer to which he or she has access. The only thing that would have changed is that these vulnerabilities once again would be hidden from the average computer user. In the end, this can only harm security.

Fix the problem, don't muzzle the messenger.

No comments: