lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sun, 4 Sep 2005 16:01:18 +0200
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com
Cc: M123303@...hmond.ac.uk
Subject: Re: FileZilla weakly-encrypted password vulnerability


> Title: FileZilla weakly-encrypted password vulnerability

Lately I have seen a lot of posts about these so called "weak password
schemes" but I really don't understand them and moreover I don't
understand where is the problem...

The program needs to store some "optional" data (nobody forces the users
to save their passwords) in the computer and for limiting a bit the
chances for a "possible" local user to read the stored passwords it uses
a reversable encryption algorithm.
In any case this algorithm is totally useless since using it or not is
exactly the same security level.
And is also the same if it is a symmetric or asymmetric algorithm because
the program must contain both the encryption and decryption key.

The only security risk I see is when a centralized software (like
a server or an operating system) uses plain-text or a reversable
algorithm for storing or transferring the passwords because is more
secure to use only their hashes (MD5, SHA1 and so on) and possibly in
locations where only the admin has access.
But this is the only generic case (plus some other cases specifics for
the type of program) in which is possible to say that exists a real
vulnerability.


> Of course, this wouldn't be
> so easy if FileZilla wasn't an open source application.

True, the difference between "easy" and a closed source application is
about some minutes of debugging or disassembling.

Last thing, from the documentation of Filezilla:
"Select Don't save password if you don't want FileZilla to remember your
password for that site. In this case you will be asked for the password
every time you want to connect to that site. Useful if you're not the
only one who has access to your machine."


BYEZ


--- 
Luigi Auriemma 
http://aluigi.altervista.org

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ