Re: FileZilla weakly-encrypted password vulnerability

[Luigi Auriemma <aluigi () autistici org>]

> Title: FileZilla weakly-encrypted password vulnerability

Lately I have seen a lot of posts about these so called "weak password
schemes" but I really don't understand them and moreover I don't
understand where is the problem...

The program needs to store some "optional" data (nobody forces the users
to save their passwords) in the computer and for limiting a bit the
chances for a "possible" local user to read the stored passwords it uses
a reversable encryption algorithm.
In any case this algorithm is totally useless since using it or not is
exactly the same security level.
And is also the same if it is a symmetric or asymmetric algorithm because
the program must contain both the encryption and decryption key.

The only security risk I see is when a centralized software (like
a server or an operating system) uses plain-text or a reversable
algorithm for storing or transferring the passwords because is more
secure to use only their hashes (MD5, SHA1 and so on) and possibly in
locations where only the admin has access.
But this is the only generic case (plus some other cases specifics for
the type of program) in which is possible to say that exists a real
vulnerability.


> Of course, this wouldn't be
> so easy if FileZilla wasn't an open source application.

True, the difference between "easy" and a closed source application is
about some minutes of debugging or disassembling.

Last thing, from the documentation of Filezilla:
"Select Don't save password if you don't want FileZilla to remember your
password for that site. In this case you will be asked for the password
every time you want to connect to that site. Useful if you're not the
only one who has access to your machine."


BYEZ


--- 
Luigi Auriemma 
http://aluigi.altervista.org