Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Filezilla's silent caching of user's credentials
From: Andrew Farmer <andfarm () gmail com>
Date: Sat, 16 Oct 2010 11:35:07 -0700

On 14 Oct 2010, at 14:01, Jeffrey Walton wrote:
If the encryption key stays on the same PC, there is absolutely no security
in that. Given that this is open source, security through obscurity can't
even start working (-> encrypting local files with a local key / using
custom algo == security through obscurity).

Linux [apparently] has not caught on to the fact that applications
could use help in securing secrets. Microsoft has DPAPI and iOS has
KeyChain (one of the bug reports stated about the same).

Kernel key management seems to be a step in the right direction:

http://lwn.net/Articles/210502/

And FWIW, Keychain Services is mostly (all?) in userspace, so there's no reason a similar solution couldn't be 
implemented on Linux.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]