Re: stored credentials was: Netscape 4.5 vulnerability

From: Bernd Eckenfels (listsat_private)
Date: Tue Apr 20 1999 - 12:59:24 PDT

Next message: Tom Perrine: "Re: Plain text passwords--necessary"

Previous message: Joe: "Re: Shopping Carts exposing CC data"
Maybe in reply to: Russell Fulton: "stored credentials was: Netscape 4.5 vulnerability"
Next in thread: Juha Jäykkä: "Re: stored credentials was: Netscape 4.5 vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Apr 19, 1999 at 10:01:26AM +1200, Russell Fulton wrote:
> To my knowledge you are correct.  The bottom line is this: Client
> programs that store credentials so the user does not have to enter them
> every time the program is used are insecure.  End of story.

Well actually you can use one key/passphrase to secure all the stored
credentials. This has the advantage that you dont need to rember all
credential (which is impossible for secret keys anyway). But it has the
disadvantage, that the security is
a) breakable by trojans/backdooring
b) as secure as the (weakest) manual entered passwort

Netscape supports Passworts to unlock the credential-store. On a physical
secure system this provides a bit of security. On physical insecure systems
even smatcards can fail, since the trojan can use the plugged smartcard
without the user to notice it.

Greetings
Bernd

Next message: Tom Perrine: "Re: Plain text passwords--necessary"
Previous message: Joe: "Re: Shopping Carts exposing CC data"
Maybe in reply to: Russell Fulton: "stored credentials was: Netscape 4.5 vulnerability"
Next in thread: Juha Jäykkä: "Re: stored credentials was: Netscape 4.5 vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:43:16 PDT