Some news have been disclosed about the next release of Ubuntu called “Lucid Lynx“. This new distribution is logically planned for April 2010 and will introduce, amongst a long list of new features, the “desktop socialization”. Mark Shuttleworth, the founder of Ubuntu, explained in an interview that the desktop will integrate new tools to interact with social networks. This has been relayed by TheRegister.
Ubuntu will allow access via the desktop to Twitter and Facebook, the big-players in the today’s social networks landscape. The goal is to allow users to update their status and get notifications without opening a browser. If it looks nice on paper, there are some security concerns.
On a pure end-user point of view, it sounds logical to offer more features like access to social networks directly on the desktop. But what about security? As always it is a question of security against usability. The new Ubuntu feature was the origin of a thread on the Full-Disclosure mailing list.
Of course, the new Ubuntu desktop will access the social networks only based on the user decision. The user will have to configures his credentials. But once this initial configuration ready, what will happen? There are chances that the user will store the credentials on the system to avoid retyping his password all the time (we are all lazy people!). The boundary between good (offline) and evil (online) will be further reduced. By opening a browser, the end-user “realizes” that he’ll be online and (maybe) adapt his behavior. Today, everybody is connected all the time to the Internet using broadband or corporate connections but I like to fact to perform an “action” to go online. For the Internet veterans like me, it was like dialing to your ISP with a modem to access the Internet.
Social networks will be more and more a target of choice for the bad guys. Risks will be more important of data received and directly processed at the desktop level. Modern browsers offer much more security features (read: I don’t say they are bullet-proof ;-)) than the desktop and more add-ons could greatly increase the security (like the Firefox add-on NoScript). My browser (as other critical network applications) runs in a restricted environment (sandboxes). It’s always good to apply the principle of privileges separation!
Finally, some tools integrated with the desktop does not have all the nice feature of a browser like the compatibility with SOCKS proxies! In Ubuntu 9.10, the instant messenging client Pigdin was replaced by Empathy. This one does not support SOCKS proxies by default. Passing your traffic thru a SOCKS/SSH tunnel could be useful when you need to connect in an hostile environment like a security conference. Here follow a screenshot of the future interface:
