Bugtraq mailing list archives
stored credentials was: Netscape 4.5 vulnerability
From: r.fulton () AUCKLAND AC NZ (Russell Fulton)
Date: Mon, 19 Apr 1999 10:01:26 +1200
On Fri, 16 Apr 1999 09:04:31 +0300 Juha =?iso-8859-1?Q?J=E4ykk=E4?= <juolja () UTU FI> wrote:
Not like a DES , this encryption can be decrypted. As a result of many experiments i wrote this program. It gives me almost all passwords in my system, because all people use Netscape.Blast it. It does not matter even if you used TwoFish, BlowFish or IDEA! The passwords saved in the preferences file would still be easily decrypted. People seem to be forgetting a very important point here: the encryption password must be internally stored somewhere because the user never gets asked for it. Thus it is not never necessary to "crack" the passwords because we can always use the original password. I see this same line of thought here every now and then: people report "bugs" like this while they are indeed vulnerable by design. There is no secure way of storing a password and recalling it without asking the user for some kind of passphrase. Please someone correct me, if I'm wrong at this. I know of no such cryptosystem.
To my knowledge you are correct. The bottom line is this: Client programs that store credentials so the user does not have to enter them every time the program is used are insecure. End of story. I dearly wish most email, ppp etc. clients did not have a check box: save password. As has been pointed out by others (e.g. Joel Maslak) there are cases where the storage of credentials is pretty well unavoidable because the applications are run unattended and Joel gives some sensible ways to mitigate (but not remove) the risk. One techniques I have not seen mentioned recently is post dated credentials. (ah la Kerberos post dated tickets) If you know your backup or database down load is going to be run between 0200 and 0205 then have it store credentials that are only valid between those times. Kerberos is the only system that I know that supports postdated credentials surely there are others ? Cheers, Russell.
Current thread:
- Re: Netscape 4.5 vulnerability Jon Schlegel (Apr 08)
- <Possible follow-ups>
- Re: Netscape 4.5 vulnerability Wojtek Kaniewski (Apr 08)
- Re: Netscape 4.5 vulnerability Dima Volodin (Apr 09)
- Re: Netscape 4.5 vulnerability Juha Jäykkä (Apr 15)
- stored credentials was: Netscape 4.5 vulnerability Russell Fulton (Apr 18)
- Re: stored credentials was: Netscape 4.5 vulnerability Bernd Eckenfels (Apr 20)
- Bug in WinNT 4.0 SP4 Alvaro Gilabert (Apr 19)
- Re: Bug in WinNT 4.0 SP4 David LeBlanc (Apr 20)
- Security Bulletins Digest aleph1 () UNDERGROUND ORG (Apr 20)
- stored credentials was: Netscape 4.5 vulnerability Russell Fulton (Apr 18)