| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 07 Sep 2005 08:36:36 -0400 From: "MacIntyre, Lawrence Paul" <macintyrelp@...l.gov> To: nick.boyce@...il.com, bugtraq@...urityfocus.com Subject: RE: FileZilla weakly-encrypted password vulnerability: advisory + PoC How hard would it be to use a passphrase to encrypt the passwords? -----Original Message----- From: Nick Boyce [mailto:nick.boyce@...il.com] Sent: Monday, September 05, 2005 12:57 PM To: bugtraq@...urityfocus.com Subject: Re: FileZilla weakly-encrypted password vulnerability: advisory + PoC On 2 Sep 2005 13:59:49 -0000, m123303[ - at - ]richmond.ac.uk wrote: > Vulnerability summary > - --------------------- [...] > There exists a problem in the way the XOR encryption is implemented > because the same cipher key is always used. This key is > hard-coded, which means that anyone can analyze the source code of > the application and find it. Of course, this wouldn't be > so easy if FileZilla wasn't an open source application. [...] Okay .. so (assuming that's a problem) what do you suggest is done by the FileZilla folks about this, given that we've already established ad nauseam that the best you can ever achieve in these circumstances is to obfuscate the key ? See http://marc.theaimsgroup.com/?l=bugtraq&m=112500510209243&w=2 > Solution > - -------- > Choose "Use secure mode" during the installation (this disables > FileZilla from saving passwords), lockdown your client > machines where the FileZilla client is installed, Well, duh ... I always do this with my FileZilla installations - don't you ? I keep precious passwords somewhere else much safer. That's /why/ the FileZilla installer warns you about this and suggests you use secure mode if you're on a multi-user (or otherwise untrustable) machine. Keeping passwords in the registry, or an XML file (or indeed anywhere at all that doesn't in turn require yet another password to access) can only ever be a convenience-vs-security trade-off. No matter how "strongly" you garble the password for storage, if the source code is available then it won't be long before someone works out how to ungarble it - and even if the source code is *not* released it won't slow the Bad Guys down much. > ... or update to a patched version which fixes this issue (if available). Um, how can the FileZilla folks patch the problem, without again releasing the source code of the "new improved" algorithm and/or key ? Cheers, Nick Boyce Bristol, UK
Powered by blists - more mailing lists