Bugtraq mailing list archives

stored credentials was: Netscape 4.5 vulnerability

From: r.fulton () AUCKLAND AC NZ (Russell Fulton)
Date: Mon, 19 Apr 1999 10:01:26 +1200


On Fri, 16 Apr 1999 09:04:31 +0300 Juha =?iso-8859-1?Q?J=E4ykk=E4?=
<juolja () UTU FI> wrote:

Not like a DES , this encryption can be decrypted. As a result of many
experiments i wrote this program. It gives me almost all passwords in my
 system, because all people use Netscape.


  Blast it. It does not matter even if you used TwoFish, BlowFish or
IDEA! The passwords saved in the preferences file would still be easily
decrypted.
  People seem to be forgetting a very important point here: the
encryption password must be internally stored somewhere because the user
never gets asked for it. Thus it is not never necessary to "crack" the
passwords because we can always use the original password.
  I see this same line of thought here every now and then: people report
"bugs" like this while they are indeed vulnerable by design. There is no
secure way of storing a password and recalling it without asking the
user for some kind of passphrase. Please someone correct me, if I'm
wrong at this. I know of no such cryptosystem.


To my knowledge you are correct.  The bottom line is this: Client
programs that store credentials so the user does not have to enter them
every time the program is used are insecure.  End of story. I dearly
wish most email, ppp etc. clients did not have a check box: save
password.

As has been pointed out by others (e.g. Joel Maslak) there are cases
where the storage of credentials is pretty well unavoidable because the
applications are run unattended and Joel gives some sensible ways to
mitigate (but not remove) the risk.

One techniques I have not seen mentioned recently is post dated
credentials.  (ah la Kerberos post dated tickets)  If you know your
backup or database down load is going to be run between 0200 and 0205
then have it store credentials that are only valid between those times.

Kerberos is the only system that I know that supports postdated
credentials surely there are others ?

Cheers, Russell.

Current thread:

Re: Netscape 4.5 vulnerability Jon Schlegel (Apr 08)
- <Possible follow-ups>
- Re: Netscape 4.5 vulnerability Wojtek Kaniewski (Apr 08)
- Re: Netscape 4.5 vulnerability Dima Volodin (Apr 09)
- Re: Netscape 4.5 vulnerability Juha Jäykkä (Apr 15)
  - stored credentials was: Netscape 4.5 vulnerability Russell Fulton (Apr 18)
    - Re: stored credentials was: Netscape 4.5 vulnerability Bernd Eckenfels (Apr 20)
  - Bug in WinNT 4.0 SP4 Alvaro Gilabert (Apr 19)
    - Re: Bug in WinNT 4.0 SP4 David LeBlanc (Apr 20)
    - Security Bulletins Digest aleph1 () UNDERGROUND ORG (Apr 20)