Practical security questions for users using shared computers

0

I only have a very basic understanding of encryption and authentication. That said, it's probably much better than probably 99% of end-users, which as we know is basically zero. And I think these are questions every user needs should know, even if they don't understand much else about computer security.

I know that, from a paranoid perspective, you cannot trust any machine you don't completely own and control (and even then the manufacturer could include spy stuff in the hardware). And therefore, you should basically not log into anything at work. But most of the time this isn't entirely practical, and people need to use various accounts or share data between their "personal domain" and work stuff (such as my stackexchange account).

So in the following, let's limit our consideration to a standard, unhacked OS, with no screen viewers or malware installed, no modified hardware, and no cameras or keyloggers to monitor my actions.

  1. Can someone with admin rights access my browser login sessions? If I log into Gmail, it will stay logged in even after logging out of Windows and logging back in again. Is it safer to log out of my Gmail account every time, or doesn't it make any difference?

  2. If I connect to a website using https, the contents should not be viewable to the network admin. But can the machine admin simply read unencrypted information in the browser cache? Do browsers do anything to ensure the privacy of website contents, or is it trivial for a user with admin/disk access to simply view the contents after the fact?

W4uoe9A

Posted 2019-11-12T15:18:50.183

Reputation: 103

Question was closed 2019-11-12T17:18:21.237

2By "someone other than yourself" do you mean the actual system owner, or do you mean various other users? What's illegal (or difficult/impossible) for e.g. library visitors is not necessarily illegal (or impossible) for the library sysadmin. – user1686 – 2019-11-12T15:44:56.960

2[security.se] would be a better place for this. With that said, you should read more about HTTPS protocol for your first and second questions. – CaldeiraG – 2019-11-12T15:58:45.873

https://www.cloudflare.com/learning/ssl/what-is-https/ – CaldeiraG – 2019-11-12T16:04:36.763

@grawity Assume a worst-case scenario, so the system owner with an admin account. At work we have a machine for which I and various colleagues have admin accounts. Library users wouldn't have admin accounts. Even the cleaning lady could modify hardware, so that's why I'm excluding stuff that involves bypassing the default security features of an OS. – W4uoe9A – 2019-11-12T16:10:07.770

@CaldeiraG As I said, I understand most of the basics, and assumed that an admin will be able to read the disk contents. I just didn't want to leave any stone unturned. In particular, I don't really know about the browser internals, and there could be something I was missing. – W4uoe9A – 2019-11-12T17:00:08.267

"Can someone with admin rights access my browser login sessions?" - As an Administrator I could without any effort, copy your browser profile, and use it as my own. This would allow me to access any sessions that were still valid. "If I connect to a website using https, the contents should not be viewable to the network admin." - As an Administrator I could make force the use of a certificate, in order to visit a website through HTTPS, the browser might complain depending on the certificate and the browser. There are security packages that install self-signed certs to scan HTTPS traffic. – Ramhound – 2019-11-12T22:49:08.153

Answers

1

Can someone with admin rights access my browser login sessions? If I log into Gmail, it will stay logged in even after logging out of Windows and logging back in again. How easy would it be to, for example, log in to my Gmail account and reset passwords to login to my other accounts?

Yes. The login session IDs (cookies) are just stored on disk. If you haven't explicitly logged out from Gmail, then someone else could either copy the entire cookie database... or just re-open the browser.

Is it safer to log out of my Gmail account every time, or doesn't it make any difference?

In well-designed webapps, the "logout" link actually marks the session ID as no longer valid on the server, so it cannot be used even if you no longer have it.

(Not all webapps are well-designed. Some of them are still so lazy that they don't even have session IDs but just store the actual password as a cookie. Fortunately those are very much in the minority.)

Even if they can't get login sessions or data, would they be able to identify online usernames and identities?

For mail services, they can open the web browser's history log and see that you've opened a page titled "Gmail - Inbox - foo@example.com" or something such.

In many cases they can also extract a lot of information from cached web pages; e.g. most sites show you your own username and/or have a link to your profile page.

If I connect to a website using https, the contents should be viewable to the website operator and me only

Encryption stops at the computer. HTTPS protection is only for transport, but it stops at the browser – the received HTML data in memory is no longer encrypted; the video signal going to the monitor is (usually) not encrypted; and of course the light coming out of the display is not encrypted.

So in the simplest case, a browser extension could easily access the contents of HTTPS-encrypted pages. Accessibility tools (e.g. screen-readers) can access all text shown on screen.

HTTPS itself can be bypassed when you control the client – just configure it to accept your fake certificates (instead of requiring a publicly-trusted issuer) and you can begin intercepting connections. This is actually a common approach taken by strict corporate networks, as well as by antivirus programs and other malware.

Do websites store unencrypted information in the browser cache?

Often, yes. (The website doesn't store things in cache – the browser itself does.) Usually regular pages and assets (images, scripts) are cached unless the server specifically opts out by sending a header.

On the other hand, interactive webapps heavily use JavaScript-based requests which are not cacheable (or at least set to bypass cache). Caching them would be useless anyway.

Does the browser do anything to ensure the privacy of website contents, or is it trivial for a user with admin/disk access to simply view the contents after the fact? Could these contents accidentally end up in a tape archive and still be easily viewable?

Generally, browsers try to at least obfuscate the remembered passwords, but don't do anything for all remaining data, i.e. bookmarks or cached pages are stored directly on disk.

There's the general assumption that you cannot win against a malicious sysadmin; the only winning move is not to play. And in most cases, anyway, either the browser is being used by the system's owner or by its primary user.

(The browser usually can't protect stored data without help from the OS anyway. For example, it could encrypt data... but where would it store the encryption key? And if it asked you for the key every time, how would it prove that it's the real browser and not a fake password prompt crafted by the sysadmin?)

That said, if you activate "Incognito mode" or similar, the browser tries to avoid storing anything on disk – it will use a memory cache only; it will not remember cookies or login sessions; it will not keep history on disk. This helps against the simplest attacks that you mention, although it still does absolutely nothing against keyloggers or screen-capture tools.

Assuming I have admin access too, what steps or measure can I take to make sure that none of the other admins are doing something untoward? Will disk encryption help?

Technical means won't solve the problem you are having with your co-admins.

(However, at least as a very basic measure, just don't share the OS-level user accounts. Yes, they're easily bypassable with admin access, but so are most door locks and yet most people still respect them.)

Similarly, should I avoid using my user folder in the network storage? I suppose this is similar to the previous questions, which the added vulnerability that the data is more likely to permanently backed up somewhere. Or am I missing something?

Your user folder in the network storage is literally just a folder in network storage.

Whoever manages the actual storage server is always technically capable of viewing it (although they might be subject to audit logs). Really they might be required to have access, in order to make regular backups or even to be able to comply with legal requests.

user1686

Posted 2019-11-12T15:18:50.183

Reputation: 283 655

Thanks for answer. I guess the reality is pretty sobering.

Is there some feature of the OS that would allow a browser to encrypt certain information, such as session tokens, using my OS log-in? As far as I understand a sysadmin by default has no way of uncovering my Windows password. If it were possible to use this authentication, at least the browser could be confident that whoever controls the tokens also has the OS password. – W4uoe9A – 2019-11-12T17:09:13.430

Some operating systems have it (e.g. Windows has CryptProtectData for individual pieces and in Pro you can enable EFS for whole files, macOS has Keychain and APFS encryption, Linux sometimes has GNOME Keyring and you can configure eCryptFS for whole files). The problem with "by default" is that the sysadmin can create ways... – user1686 – 2019-11-12T17:44:45.813

Cool. This could now be practical, useful advice that I could use and change my behaviour. So, I could store some credentials in Keychain/Keyring, and always log out of gmail sessions. That would prevent an admin from simply opening my website sessions, and he would need to modify the OS some way in order to sniff my credentials. Am I correct?

That would be a big plus for security, IMO. I always shied away from OS-integrated password managers, as they seemed kind of redundant with multi-platform password managers and I didn't really understand the security implications. – W4uoe9A – 2019-11-12T19:15:35.673

1"HTTPS protection is only for transport" - This is an excellent statement, since it highlights, the intentional limitations of Hypertext Transfer Protocol Secure (HTTPS) – Ramhound – 2019-11-12T20:04:47.870

@W4uoe9A - If you are worried about an Administrator accessing your files on a work computer, it's best to just not have anything, that the Administrator would care to look at. As an Administrator it is trivial to export the certificate used in the EFS functionality. I am sure there are similar methods to configure MacOS to do the same. It is also trivial to use a self-signed certificate, for all HTTPS traffic, allowing anyone with access to the man in the middle server to decrypt the traffic between the your machine and the external server. Common usage of that is through a proxy. – Ramhound – 2019-11-12T22:52:09.510

@Ramhound Is it useful to export the certificate, if we don't have the user's private key? Or can an admin simply read private keys from the disk? – W4uoe9A – 2019-11-13T05:31:49.380

EFS private keys are actually protected with your Windows password, so an admin cannot export them without knowing it. However, an admin can configure EFS to force the files to be encrypted with their certificate in addition to your own (this is actually a built-in feature called a "Recovery Agent"). – user1686 – 2019-11-13T05:33:27.417

@W4uoe9A - As grawity eludes to I can configure EFS on your workstation to use my own certificate in addition to your certificate, thus allowing me the ability to decrypt your file. There isn't anything you as the end-user can do that I as an Administrator can undo. If you happen to do something I don't like, i nuke the workstation from orbit and prevent you from doing that "something" again. So don't store anything private on a computer at work. – Ramhound – 2019-11-13T05:47:03.637

Asked: 2019-11-12T15:18:50.183

Viewed: 62 times

Active: 2019-11-12T19:50:08.000