Full Disclosure mailing list archives
Re: Filezilla's silent caching of user's credentials
From: Adnan Vatandas <adnan.vatandas () googlemail com>
Date: Thu, 14 Oct 2010 10:15:23 +0200
On 14.10.2010 08:39, Christian Sciberras wrote:
I still see this a simple matter of violating KISS to introduce a layer of encryption. The question is, to which end? Sure, an attacker might see the encrypted file and think it's "too difficult" for him to get to the passwords. Another might use a certain utility to decrypt the said file. The thing is, to which end are we encrypting the data? Just for the sake of making it work like the N other programs? I mean, if this doesn't *work*, why even *bother*?
Doesn't look like KISS to me. http://filezilla-project.org/client_features.php Well, anyway. At least two reasons come to my mind why Filezilla shouldn't store user credentials at all without asking the user. First: Here on the full-disclosure mailing list, the average poster certainly has significantly more computer knowledge than the average filezilla user (or computer user in general). Noone questions the stupidity of putting whole Filezilla directories online like the ones found on Google. But that's just how users behave, and a computer program programmed for public use should take this into account. For the same reason Mozilla Firefox automatically choses encrypted connections when using the "New Account Wizard". For the same reason Online Banking automatically switches to SSL encrypted connections instead of offering the customers an optional link to HTTPS. Filezilla does not exactly follow the "do one thing and do it good" Unix philosophy, so it wouldn't "break" the program or anything by storing encrypted passwords. It could even store the credentials securely the same way it stores them right now, just by offering the user to chose a single master password. Second: "Stupid users who upload their own password files" is ONE example where user credentials get into wrong hands. What's about theft, loss or any other situation where strangers get direct access to the machine? You could still blame the user for loosing his notebook or leaving it unattended or not encrypting it or using a computer without being a computer expert in the first place, right? -- Adnan Vatandas http://adnanvatandas.wordpress.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Filezilla's silent caching of user's credentials, (continued)
- Re: Filezilla's silent caching of user's credentials Christian Sciberras (Oct 13)
- Re: Filezilla's silent caching of user's credentials silky (Oct 13)
- Re: Filezilla's silent caching of user's credentials Chris Evans (Oct 14)
- Re: Filezilla's silent caching of user's credentials silky (Oct 14)
- Re: Filezilla's silent caching of user's credentials Christian Sciberras (Oct 14)
- Re: Filezilla's silent caching of user's credentials silky (Oct 14)
- Re: Filezilla's silent caching of user's credentials Valdis . Kletnieks (Oct 14)
- Re: Filezilla's silent caching of user's credentials Christian Sciberras (Oct 14)
- Re: Filezilla's silent caching of user's credentials Valdis . Kletnieks (Oct 14)
- Re: Filezilla's silent caching of user's credentials Pete Smith (Oct 14)
- Re: Filezilla's silent caching of user's credentials Adnan Vatandas (Oct 14)
- Re: Filezilla's silent caching of user's credentials Jeffrey Walton (Oct 14)
- Re: Filezilla's silent caching of user's credentials Andrew Farmer (Oct 16)
- Re: Filezilla's silent caching of user's credentials Adnan Vatandas (Oct 14)
- Re: Filezilla's silent caching of user's credentials Christian Sciberras (Oct 14)
- Re: Filezilla's silent caching of user's credentials Chris Evans (Oct 14)
- Re: Filezilla's silent caching of user's credentials Jonathan Kamens (Oct 14)