Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Filezilla's silent caching of user's credentials
From: silky <michaelslists () gmail com>
Date: Thu, 14 Oct 2010 11:08:15 +1100

On Thu, Oct 14, 2010 at 10:57 AM, Christian Sciberras <uuf6429 () gmail com> wrote:
If the encryption key stays on the same PC, there is absolutely no security
in that. Given that this is open source, security through obscurity can't
even start working (-> encrypting local files with a local key / using
custom algo == security through obscurity).

No, you are completely wrong and I encourage you to specifically
consider a layered threat model or perhaps just read the information
*already presented* in this thread. Not all attackers are created

There is no question here. There is no discussion. It should be done,
and if it is not, password saving should be stopped in FileZilla or an
alternative program should be sought. It's that simple.

(Note that BeyondCompare and probably at least N other programs out
there *do* perform a trivial encoding of the passwords, and it is a
good and appropriate policy).




"Every morning when I wake up, I experience an exquisite joy — the joy
of being this signature."

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]