Bugtraq mailing list archives
Re: stored credentials was: Netscape 4.5 vulnerability
From: lists () LINA INKA DE (Bernd Eckenfels)
Date: Tue, 20 Apr 1999 21:59:24 +0200
On Mon, Apr 19, 1999 at 10:01:26AM +1200, Russell Fulton wrote:
To my knowledge you are correct. The bottom line is this: Client programs that store credentials so the user does not have to enter them every time the program is used are insecure. End of story.
Well actually you can use one key/passphrase to secure all the stored credentials. This has the advantage that you dont need to rember all credential (which is impossible for secret keys anyway). But it has the disadvantage, that the security is a) breakable by trojans/backdooring b) as secure as the (weakest) manual entered passwort Netscape supports Passworts to unlock the credential-store. On a physical secure system this provides a bit of security. On physical insecure systems even smatcards can fail, since the trojan can use the plugged smartcard without the user to notice it. Greetings Bernd
Current thread:
- Re: Netscape 4.5 vulnerability Jon Schlegel (Apr 08)
- <Possible follow-ups>
- Re: Netscape 4.5 vulnerability Wojtek Kaniewski (Apr 08)
- Re: Netscape 4.5 vulnerability Dima Volodin (Apr 09)
- Re: Netscape 4.5 vulnerability Juha Jäykkä (Apr 15)
- stored credentials was: Netscape 4.5 vulnerability Russell Fulton (Apr 18)
- Re: stored credentials was: Netscape 4.5 vulnerability Bernd Eckenfels (Apr 20)
- Bug in WinNT 4.0 SP4 Alvaro Gilabert (Apr 19)
- Re: Bug in WinNT 4.0 SP4 David LeBlanc (Apr 20)
- Security Bulletins Digest aleph1 () UNDERGROUND ORG (Apr 20)
- stored credentials was: Netscape 4.5 vulnerability Russell Fulton (Apr 18)