Re: Current network-password-saving feature needs improvement.

On Thu, 2002-07-18 at 11:17, Hema Seetharamaiah wrote:
> Hello,
> Currently, the user needs to setup the network/http username and
> password via the network preferences capplet. Only if this is done, the
> user can use gweather, stockticker and nautilus (browser part).
> This password is saved into the user's gconf in *plain text*. It's an
> issue of privacy (and security) where somebody ( root for one ) can
> easily get access the user's network password.

> Shouldnt it be stored in an encrypted form, so that at least, it is not
> so easily readable?

I don't think this really could be encrypted.  I mean, it eventually has
to be unencrypted.  Therefor, anyone who could read the encrypted
password could decrypt it, since the algorithm would be freely available
under the GPL/LGPL per the gconf source license.

Second, if you do not trust root, do not use the machine.  Root can
record all your mouse clicks, keyboard presses, network traffic, etc. 
You are completely at root's mercy no matter what.  Sure, go ahead and
type in the password every time; root can just record what you type in
if she so wishes (of course by setting up a program or X modification
ahead of time).

It's like people logging in to their machines remotely from public cyber
cafes or whatnot, thinking they are secure by using SSH and storing the
key on a disk - as soon as they put the disk in the computer, or type in
their password, that computer can record all of it.  If a machine is not
physically secured, and "root secured", you cannot protect your data.

> And more importantly, shouldnt there be an additional option where the
> user gets a choice to *not* save the password and later on, when he
> connects to the http proxy the first time, he is prompted for the
> password? This password could then be retained for the rest of the
> session? 

This, again, really isn't that useful, for the reasons I stated above. 
You would be complicating your experience and not increasing your
security by any substantial amount.  So long as other users can't read
your password (the gconf store used is user readable only, correct?) you
aren't in any more danger storing your password than you would be

Perhaps the only decent addition that could be made is require all
passwords in gconf to be truly encrypted with a master password.  Then,
on login, the password could be queried (or a PAM or GDM module could
use your login password as the master password).  This way, simpler
attacks that simply read your files without installing software would
fail.  Again, tho, as you seem to not trust root, you aren't going to be
able to save yourself from her.  She can just record every password you
type into the system.

> Am bringing up the issue first to get your inputs. Would like to follow
> this up with a proposal.
> Regards,
> Hema.
Sean Middleditch <elanthis awesomeplay com>

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]