lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 14 Oct 2010 10:15:23 +0200
From: Adnan Vatandas <adnan.vatandas@...glemail.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Filezilla's silent caching of
	user's	credentials

On 14.10.2010 08:39, Christian Sciberras wrote:

> I still see this a simple matter of violating KISS to introduce a layer of
> encryption.
> The question is, to which end? Sure, an attacker might see the encrypted
> file
> and think it's "too difficult" for him to get to the passwords. Another
> might use
> a certain utility to decrypt the said file. The thing is, to which end are
> we encrypting
> the data? Just for the sake of making it work like the N other programs?
> I mean, if this doesn't *work*, why even *bother*?

Doesn't look like KISS to me.

http://filezilla-project.org/client_features.php

Well, anyway. At least two reasons come to my mind why Filezilla
shouldn't store user credentials at all without asking the user.

First:
Here on the full-disclosure mailing list, the average poster certainly
has significantly more computer knowledge than the average filezilla
user (or computer user in general).
Noone questions the stupidity of putting whole Filezilla directories
online like the ones found on Google. But that's just how users
behave, and a computer program programmed for public use
should take this into account. For the same reason Mozilla Firefox
automatically choses encrypted connections when using the
"New Account Wizard". For the same reason Online Banking
automatically switches to SSL encrypted connections instead of
offering the customers an optional link to HTTPS.
Filezilla does not exactly follow the "do one thing and do it good"
Unix philosophy, so it wouldn't "break" the program or anything by
storing encrypted passwords. It could even store the credentials
securely the same way it stores them right now, just by offering the
user to chose a single master password.

Second:
"Stupid users who upload their own password files" is ONE example
where user credentials get into wrong hands.
What's about theft, loss or any other situation where strangers
get direct access to the machine?

You could still blame the user for loosing his notebook
or leaving it unattended or not encrypting it or using a computer
without being a computer expert in the first place, right?

-- 

Adnan Vatandas

http://adnanvatandas.wordpress.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists