Full Disclosure mailing list archives
Re: Filezilla's silent caching of user's credentials
From: silky <michaelslists () gmail com>
Date: Thu, 14 Oct 2010 11:08:15 +1100
On Thu, Oct 14, 2010 at 10:57 AM, Christian Sciberras <uuf6429 () gmail com> wrote:
If the encryption key stays on the same PC, there is absolutely no security in that. Given that this is open source, security through obscurity can't even start working (-> encrypting local files with a local key / using custom algo == security through obscurity).
No, you are completely wrong and I encourage you to specifically consider a layered threat model or perhaps just read the information *already presented* in this thread. Not all attackers are created equally. There is no question here. There is no discussion. It should be done, and if it is not, password saving should be stopped in FileZilla or an alternative program should be sought. It's that simple. (Note that BeyondCompare and probably at least N other programs out there *do* perform a trivial encoding of the passwords, and it is a good and appropriate policy).
Chris.
-- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature." _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Filezilla's silent caching of user's credentials, (continued)
- Re: Filezilla's silent caching of user's credentials Shirish Padalkar (Oct 09)
- Re: Filezilla's silent caching of user's credentials Vipul Agarwal (Oct 09)
- Re: Filezilla's silent caching of user's credentials Brandon McGinty (Oct 11)
- Re: Filezilla's silent caching of user's credentials rdsears (Oct 11)
- Re: Filezilla's silent caching of user's credentials Mutiny (Oct 13)
- Re: Filezilla's silent caching of user's credentials Chris Evans (Oct 13)
- Re: Filezilla's silent caching of user's credentials Ryan Sears (Oct 13)
- Re: Filezilla's silent caching of user's credentials Valdis . Kletnieks (Oct 13)
- Re: Filezilla's silent caching of user's credentials Vipul Agarwal (Oct 09)
- Re: Filezilla's silent caching of user's credentials Shirish Padalkar (Oct 09)
- Re: Filezilla's silent caching of user's credentials silky (Oct 13)
- Re: Filezilla's silent caching of user's credentials Christian Sciberras (Oct 13)
- Re: Filezilla's silent caching of user's credentials silky (Oct 13)
- Re: Filezilla's silent caching of user's credentials Christian Sciberras (Oct 13)
- Re: Filezilla's silent caching of user's credentials silky (Oct 13)
- Re: Filezilla's silent caching of user's credentials Chris Evans (Oct 14)
- Re: Filezilla's silent caching of user's credentials silky (Oct 14)
- Re: Filezilla's silent caching of user's credentials Christian Sciberras (Oct 14)
- Re: Filezilla's silent caching of user's credentials silky (Oct 14)
- Re: Filezilla's silent caching of user's credentials Valdis . Kletnieks (Oct 14)
- Re: Filezilla's silent caching of user's credentials Christian Sciberras (Oct 14)
- Re: Filezilla's silent caching of user's credentials Valdis . Kletnieks (Oct 14)
- Re: Filezilla's silent caching of user's credentials Pete Smith (Oct 14)