Security for Cloud Desktop
If the Internet is the computer, if the cloud touches down on the desktop, the security will be the first thing to protect. How is my credential stored? Is it safe?
In the current Beta 1, the credentials are stored in the user's local profile (Documents & Settings) with Windows Data Protection. If someone can logon to your machine and get access to your documents. This is vulnerable. But if someone can physically control your machine, what is not vulnerable?
To make it not vulnerable even when the PC is compromised, we need 2 factor protection with an optional password. By using Windows Data Protection with the additional password, it could offer more comfort. However, your IE remembered password may not be password protected. If you Firefox is not using a master password, the remembered password is vulnerable too. If you write down your password in Notepad ... All 1 factor protections depending on a windows logon prompt are vulnerable if the threat model includes the PC being compromised.
Security is a big thing. Let's do another review before releasing Beta 2.
In the current Beta 1, the credentials are stored in the user's local profile (Documents & Settings) with Windows Data Protection. If someone can logon to your machine and get access to your documents. This is vulnerable. But if someone can physically control your machine, what is not vulnerable?
To make it not vulnerable even when the PC is compromised, we need 2 factor protection with an optional password. By using Windows Data Protection with the additional password, it could offer more comfort. However, your IE remembered password may not be password protected. If you Firefox is not using a master password, the remembered password is vulnerable too. If you write down your password in Notepad ... All 1 factor protections depending on a windows logon prompt are vulnerable if the threat model includes the PC being compromised.
Security is a big thing. Let's do another review before releasing Beta 2.
Comments
Now securing robustly enough as you want to do seems a major step and may take some time to reach.
I think security has to be consistent.
you are right when you don't want to be the weakest link in the security chain but with a simple second level password you already are not.
because with o**cr*ck live CD most windows password can be cracked and then access to all local data is granted anyway.
To sum up :
I think your concern about security is right.
But getting a full fledged security level may take some time
and delaying the beta 2 for that may be too long if you want the perfect security.
decent security for beta 2 should suffice given the windows security level.
For beta 3 you could implement further and more robust security, with secured single sign on with open id (for example etc.) may be (password not stored on the computer since your feature require internet)
I think 2 password is enough for beta 2 step when you consider how robust windows is.
(I do not mention that even without pasword the hard frive in windows is generally not encrypted so removing the hard drive of a stolen pc and reading it is enough in most case to get access to the data)
you are right to seek a level o security on par with that of people encrypting their hard disk and implementing a BIOS password but in my opinion this deserve fully a new beta level and should not delay beta 2 very much expected.
best regards
Thibault