lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 14 Oct 2010 08:39:29 +0200
From: Christian Sciberras <uuf6429@...il.com>
To: michaelslists@...il.com
Cc: full-disclosure@...ts.grok.org.uk, Mutiny <mutiny@...inbeardsucks.com>
Subject: Re: Filezilla's silent caching of user's
	credentials

> Not all attackers are created
> equally.

I still see this a simple matter of violating KISS to introduce a layer of
encryption.
The question is, to which end? Sure, an attacker might see the encrypted
file
and think it's "too difficult" for him to get to the passwords. Another
might use
a certain utility to decrypt the said file. The thing is, to which end are
we encrypting
the data? Just for the sake of making it work like the N other programs?
I mean, if this doesn't *work*, why even *bother*?

> There is no question here. There is no discussion. It should be done,
> and if it is not, password saving should be stopped in FileZilla or an
> alternative program should be sought. It's that simple.

Great. If it's so simple that it can be done in under 10 mins, go complain
to them.

As to "go read our awesome security standards we created", that is the exact
reason
why I consider this "security feature" completely useless.

Cheers,
Chris.







On Thu, Oct 14, 2010 at 2:08 AM, silky <michaelslists@...il.com> wrote:

> On Thu, Oct 14, 2010 at 10:57 AM, Christian Sciberras <uuf6429@...il.com>
> wrote:
> > If the encryption key stays on the same PC, there is absolutely no
> security
> > in that. Given that this is open source, security through obscurity can't
> > even start working (-> encrypting local files with a local key / using
> > custom algo == security through obscurity).
>
> No, you are completely wrong and I encourage you to specifically
> consider a layered threat model or perhaps just read the information
> *already presented* in this thread. Not all attackers are created
> equally.
>
> There is no question here. There is no discussion. It should be done,
> and if it is not, password saving should be stopped in FileZilla or an
> alternative program should be sought. It's that simple.
>
> (Note that BeyondCompare and probably at least N other programs out
> there *do* perform a trivial encoding of the passwords, and it is a
> good and appropriate policy).
>
>
> > Chris.
>
> --
> silky
>
> http://dnoondt.wordpress.com/
>
> "Every morning when I wake up, I experience an exquisite joy — the joy
> of being this signature."
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ