lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 14 Oct 2010 10:15:23 +0200 From: Adnan Vatandas <adnan.vatandas@...glemail.com> To: full-disclosure@...ts.grok.org.uk Subject: Re: Filezilla's silent caching of user's credentials On 14.10.2010 08:39, Christian Sciberras wrote: > I still see this a simple matter of violating KISS to introduce a layer of > encryption. > The question is, to which end? Sure, an attacker might see the encrypted > file > and think it's "too difficult" for him to get to the passwords. Another > might use > a certain utility to decrypt the said file. The thing is, to which end are > we encrypting > the data? Just for the sake of making it work like the N other programs? > I mean, if this doesn't *work*, why even *bother*? Doesn't look like KISS to me. http://filezilla-project.org/client_features.php Well, anyway. At least two reasons come to my mind why Filezilla shouldn't store user credentials at all without asking the user. First: Here on the full-disclosure mailing list, the average poster certainly has significantly more computer knowledge than the average filezilla user (or computer user in general). Noone questions the stupidity of putting whole Filezilla directories online like the ones found on Google. But that's just how users behave, and a computer program programmed for public use should take this into account. For the same reason Mozilla Firefox automatically choses encrypted connections when using the "New Account Wizard". For the same reason Online Banking automatically switches to SSL encrypted connections instead of offering the customers an optional link to HTTPS. Filezilla does not exactly follow the "do one thing and do it good" Unix philosophy, so it wouldn't "break" the program or anything by storing encrypted passwords. It could even store the credentials securely the same way it stores them right now, just by offering the user to chose a single master password. Second: "Stupid users who upload their own password files" is ONE example where user credentials get into wrong hands. What's about theft, loss or any other situation where strangers get direct access to the machine? You could still blame the user for loosing his notebook or leaving it unattended or not encrypting it or using a computer without being a computer expert in the first place, right? -- Adnan Vatandas http://adnanvatandas.wordpress.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists