PrivSec-dev/privsec.dev
1
0
Fork 0
mirror of https://github.com/PrivSec-dev/privsec.dev synced 2025-01-20 19:11:33 -05:00
Code

Minor wording changes (#313)

Browse Source 
Signed-off-by: Tommy <contact@tommytran.io>
This commit is contained in:
Tommy 2025-01-09 23:44:03 -07:00 committed by GitHub
parent ec6b326293
commit ba95062a63
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
content/posts/knowledge/ChromeOS Questionable Encryption/index.md
View File

@ -11,7 +11,7 @@ ChromeOS encrypts user data on the disk by default. The implementation details a
It is well-known that ChromeOS uses Google account passwords as the primary login credentials. This necessarily means that anyone with knowledge of the Google account password is able to unlock and therefore decrypt a ChromeOS user profile. It is well-known that ChromeOS uses Google account passwords as the primary login credentials. This necessarily means that anyone with knowledge of the Google account password is able to unlock and therefore decrypt a ChromeOS user profile.
Recent versions of ChromeOS also allows users to use a separare login password instead of the Google account password. Recent versions of ChromeOS allows users to use a separare login password instead of the Google account password.
![Local Password](local-password.png) ![Local Password](local-password.png)
@ -27,7 +27,7 @@ As a result, someone with sufficient access to Google's servers would theoretica
This differs from how encryption passwords are handled by other services like cloud&#8209;based password managers&nbsp;&mdash; they use _client&#8209;side hashing_ to deliberately blind the server from the actual password. As the name suggests, the browser locally executes a cryptographic hash function on the actual password and only transmits the _resultant hash_ to the server for authentication. This differs from how encryption passwords are handled by other services like cloud&#8209;based password managers&nbsp;&mdash; they use _client&#8209;side hashing_ to deliberately blind the server from the actual password. As the name suggests, the browser locally executes a cryptographic hash function on the actual password and only transmits the _resultant hash_ to the server for authentication.
The user should be able to avoid this issue with the local password. While we have not done in-depth analysis to confirm that Google never has access to the local encryption password, this is likely the case since an account recovery using the Google password will require a Powerwash: On newer ChromeOS versions, users should be able to avoid this issue with the local password. While we have not done in-depth analysis to confirm that Google never has access to the local encryption password, this is likely the case since an account recovery using the Google password will require a Powerwash:
![Account Recovery](account-recovery.png) ![Account Recovery](account-recovery.png)