The Linux operating system is known for security. From the bottom up, Linux was designed to be a platform to be trusted. There is, however, one weak link in the chain. This weakness didn’t just appear, nor is it considered a security bug on any given radar. What I’m talking about is the antiquated X11 Window server still found in use on most Linux distributions.
For those that don’t know, X was originally designed and released in 1985 and X11 in 1987. X.org replaced X11 and was originally released April 6, 2004. When X was originally conceived, the computing world was in a completely different state. Both X and X.org lack a few very important security features that are critical for modern era usage and hardware:
- All X applications have access to everything on your screen
- All X applications can register to receive every keystroke, regardless of which window said keystrokes are typed within
- Applications such as browsers can be remotely controlled such that keystrokes can be forged as if the user were typing them
- The xhost + option can completely disable any security on the display