RE: http://filezilla.sourceforge.net/forum/ ... php?t=1328
While, I think calling this a security vulnerability is a bit of an exaggeration when you take into consideration the facts, I wonder if there would be an easy way to include user random key selection as an option in ./configure
I know it's really as simple as modifying a few lines of code, and perhaps this could even be an option in windows setup, but I guess having a private key would make a lot more sense.
In retrospect that would really suck hairy ones for anyone who wanted to recover their password without a tool and a clear WARNING: during install that they should save their key somewhere in case they lose their passwords. Just a thought.
I really think it would be nice if all programs that stored passwords transparently like this had this option. Just a random private key generator, and a universal tool for importing keys and decrypting passwords with the various algorhythms available.
I myself ran into all of this while trying to find the location of the public key so I could decrypt the passwords stored in my site manager. I'm sure other people would benefit from privatized keys and password encryption/decryption tools.
RE: Security Vulnerability BS hoax
Moderator: Project members
-
da chicken
- 226 Transfer OK
- Posts: 619
- Joined: 2005-11-02 06:41
What I don't understand is why you'd want to save your password if you're at all concerned with security.
PostgreSQL uses a similar method to store passwords. You create ~/.pgpass and enter your password in it, and then the system will use that password. The only nice thing about it is that PostgeSQL does check to ensure that .pgpass is not world readable, and if it is it ignores it.
Due to the security model in place, this is more difficult to employ in Windows. What you could do here is store FileZilla.xml in %appdata%, which is not readable to non-Admins since it's in the user's profile, or in HKCU instead of HKLM.
How to apply this to FZ3 is a bit more difficult, though.
PostgreSQL uses a similar method to store passwords. You create ~/.pgpass and enter your password in it, and then the system will use that password. The only nice thing about it is that PostgeSQL does check to ensure that .pgpass is not world readable, and if it is it ignores it.
Due to the security model in place, this is more difficult to employ in Windows. What you could do here is store FileZilla.xml in %appdata%, which is not readable to non-Admins since it's in the user's profile, or in HKCU instead of HKLM.
How to apply this to FZ3 is a bit more difficult, though.