Re: Current network-password-saving feature needs improvement.

On Thu, 2002-07-18 at 11:46, Sean Middleditch wrote:
> On Thu, 2002-07-18 at 11:17, Hema Seetharamaiah wrote:
> > Hello,
> > 
> > Currently, the user needs to setup the network/http username and
> > password via the network preferences capplet. Only if this is done, the
> > user can use gweather, stockticker and nautilus (browser part).
> > 
> > This password is saved into the user's gconf in *plain text*. It's an
> > issue of privacy (and security) where somebody ( root for one ) can
> > easily get access the user's network password.
> > Shouldnt it be stored in an encrypted form, so that at least, it is not
> > so easily readable?
> I don't think this really could be encrypted.  I mean, it eventually has
> to be unencrypted.  Therefor, anyone who could read the encrypted
> password could decrypt it, since the algorithm would be freely available
> under the GPL/LGPL per the gconf source license.
> Second, if you do not trust root, do not use the machine.  Root can
> record all your mouse clicks, keyboard presses, network traffic, etc. 
> You are completely at root's mercy no matter what.  Sure, go ahead and
> type in the password every time; root can just record what you type in
> if she so wishes (of course by setting up a program or X modification
> ahead of time).
> > And more importantly, shouldnt there be an additional option where the
> > user gets a choice to *not* save the password and later on, when he
> > connects to the http proxy the first time, he is prompted for the
> > password? This password could then be retained for the rest of the
> > session? 
> This, again, really isn't that useful, for the reasons I stated above. 
> You would be complicating your experience and not increasing your
> security by any substantial amount.  So long as other users can't read
> your password (the gconf store used is user readable only, correct?) you
> aren't in any more danger storing your password than you would be
> otherwise.

...but it would be nice to mark passwords as such, so that gconf-edit
wouldn't broadcast them at will.

Perhaps, they might show up as "***" until being clicked to edit?

The over-the-shoulder security factor there...

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]