Liam Gladdy You assume that no system will ever be misconfigured or have issues with the loopback…
Ross Hosman

But you’re also advising obfuscation, the snake oil of security, is a smart thing to do. I’d much rather have people understanding the risks of a system, rather than thinking it’s secure because they don’t know enough about where keys are stored, etc.

The point is, there is literally no way to make it secure if the data is stored on a local mac, and that local mac is compromised. You say “it could be misconfigured” — i’d say, compromised. The only way you can get non-elevated access to lo is change system user groups with root permissions. That’s the same as being compromised. Wireshark probably shouldn’t do it — maybe that’s worth a post in itself.

You also say about some ofter software installed on your machine might do it. Sure. But that other software could also be monitoring your clipboard, or, if it has access to your lo interface, either you’ve already configured your mac to be less secure or it’s running with root access, and could do a bunch of other things to get your data.

In my opinion, Agile have done, and are doing, the right thing here. Security through obscrutiy is no security at all.

Show your support

Clapping shows how much you appreciated Liam Gladdy’s story.