Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Filezilla's silent caching of user's credentials

From: Andrew Farmer <andfarm () gmail com>
Date: Sat, 16 Oct 2010 11:35:07 -0700
On 14 Oct 2010, at 14:01, Jeffrey Walton wrote:

If the encryption key stays on the same PC, there is absolutely no security
in that. Given that this is open source, security through obscurity can't
even start working (-> encrypting local files with a local key / using
custom algo == security through obscurity).


Linux [apparently] has not caught on to the fact that applications
could use help in securing secrets. Microsoft has DPAPI and iOS has
KeyChain (one of the bug reports stated about the same).


Kernel key management seems to be a step in the right direction:

http://lwn.net/Articles/210502/

And FWIW, Keychain Services is mostly (all?) in userspace, so there's no reason a similar solution couldn't be 
implemented on Linux.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: