[29116] in bugtraq
Re: Netscape Communicator 4.x sensitive informations in configuration
daemon@ATHENA.MIT.EDU (MightyE)
Mon Mar 3 11:29:42 2003
Message-ID: <3E6355D8.8010501@mightye.org>
Date: Mon, 03 Mar 2003 08:17:12 -0500
From: MightyE <mightye@mightye.org>
MIME-Version: 1.0
To: Neil Dickey <neil@geol.niu.edu>
In-Reply-To: <200302281841.MAA01684@shiloh.geol.niu.edu>
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms090005000006050806010707"
--------------ms090005000006050806010707
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Although keeping the password plaintext in a configuration file isn't
the best way to handle a password that software needs to remember, I do
however want to point out that in order for programs to remember your
password, they *must* store the password in some sort of reverseable
obfuscation, meaning that once the obfuscation algorithm is known, the
password is no more secure no matter how obfuscated it gets, as the
software must at some point in time return it to a plaintext form in
order to make use of it.
Obfuscating stored passwords only provides a minimal level of additional
protection. If you are using a system where someone has access to your
configuration files (example: public computer lab in a library or
college campus), then do *not* store your password on that machine. If
someone has the same access to that machine as you do, consider any
information you store on it to be publicly available, and take
appropriate precautions for sensitive information.
-MightyE
Neil Dickey wrote:
>Marc Ruef <marc.ruef@computec.ch> wrote:
>
>
>
>>The following paste shows the IMAP mail part of this configuration file.
>>You can see that the line 17 shows the unencrypted password
>>("MyPassword4").
>>
>>[ ... Snip ... ]
>>
>>user_pref("mail.imap.server.imap.computec.ch.password", "MyPassword4");
>>user_pref("mail.imap.server.imap.computec.ch.remember_password", true);
>>
>>
>
>I notice from the line immediately following that you have the package
>remember your password. It's been my understanding that doing so is
>bad practice because that's just the sort of thing that someone probing
>your system would very likely be looking for. Certainly if you save
>your password only in your head, then whether or not the program stores
>it in the clear is a moot question. ;-)
>
>Best regards,
>
>Neil Dickey, Ph.D.
>Research Associate/Sysop
>Geology Department
>Northern Illinois University
>DeKalb, Illinois
>60115
>
>
>
--------------ms090005000006050806010707
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIII/DCC
BHowggQkoAMCAQICChEgCR8AAAAAAAQwDQYJKoZIhvcNAQEFBQAwSDELMAkGA1UEBhMCVVMx
HTAbBgNVBAoTFE9keXNzZXkgRGVzaWduIEdyb3VwMRowGAYDVQQDExFPZHlzc2V5IENBIFNl
cnZlcjAeFw0wMzAyMjgxODQ3NTRaFw0wNDAyMjgxODU3NTRaMIGLMSIwIAYJKoZIhvcNAQkB
FhNtaWdodHllQG1pZ2h0eWUub3JnMQswCQYDVQQGEwJVUzELMAkGA1UECBMCUEExFTATBgNV
BAcTDENvbGxlZ2V2aWxsZTEdMBsGA1UEChMUT2R5c3NleSBEZXNpZ24gR3JvdXAxFTATBgNV
BAMTDEVyaWMgU3RldmVuczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANWOebT5
2guM4Y2MIdpM3KhmAQ29Q7zrWOF/2vmDIXg1C7H32sN5f8O0CkicymAKzwKQVcAmFTkaH8J/
E8i+B+hAoOud43gBibDooEqcsKB0PrdBMBWaIwSG0R3sv1ExHYUzePuixtsP8fwO+hGV/Ra2
b0zHCewRwM8RSOPgnuFn8YnATTlMOvlEix11M5bXciKuf2n1OMuJ37luhYlkPFby1JyFwsaH
J/hucMDuFQ0U8UMi+766/NWt97El1wsIS4lbq+yoTpjQdRHG8CUcCjJlWbkxcnif1shkcGFa
mP/H53r2YybVicDaqcy48Xy7xKvJDiJPUBj5SLyXOVS+06MCAwEAAaOCAeIwggHeMB0GA1Ud
DgQWBBRqCFueNlopuRolDP/gg2imvF7OiTB/BgNVHSMEeDB2gBSQR0GuZ54oofZYvOyI05Qi
D6IzH6FMpEowSDELMAkGA1UEBhMCVVMxHTAbBgNVBAoTFE9keXNzZXkgRGVzaWduIEdyb3Vw
MRowGAYDVQQDExFPZHlzc2V5IENBIFNlcnZlcoIQJFXVPRG9oIlNIcJDx9YlfTCBiAYDVR0f
BIGAMH4wPKA6oDiGNmh0dHA6Ly9vZHlzc2V5c3YyL0NlcnRFbnJvbGwvT2R5c3NleSUyMENB
JTIwU2VydmVyLmNybDA+oDygOoY4ZmlsZTovL1xcb2R5c3NleXN2MlxDZXJ0RW5yb2xsXE9k
eXNzZXklMjBDQSUyMFNlcnZlci5jcmwwgbAGCCsGAQUFBwEBBIGjMIGgME0GCCsGAQUFBzAC
hkFodHRwOi8vb2R5c3NleXN2Mi9DZXJ0RW5yb2xsL29keXNzZXlzdjJfT2R5c3NleSUyMENB
JTIwU2VydmVyLmNydDBPBggrBgEFBQcwAoZDZmlsZTovL1xcb2R5c3NleXN2MlxDZXJ0RW5y
b2xsXG9keXNzZXlzdjJfT2R5c3NleSUyMENBJTIwU2VydmVyLmNydDANBgkqhkiG9w0BAQUF
AANBAChDIVrtRknmkM8ENE+euaLFOsjrYyFEnt5CijU8H+865mG3CNncWkDPcvWb5nQWrpcZ
wpTt2aOIxBWP4+QkaeUwggR6MIIEJKADAgECAgoRIAkfAAAAAAAEMA0GCSqGSIb3DQEBBQUA
MEgxCzAJBgNVBAYTAlVTMR0wGwYDVQQKExRPZHlzc2V5IERlc2lnbiBHcm91cDEaMBgGA1UE
AxMRT2R5c3NleSBDQSBTZXJ2ZXIwHhcNMDMwMjI4MTg0NzU0WhcNMDQwMjI4MTg1NzU0WjCB
izEiMCAGCSqGSIb3DQEJARYTbWlnaHR5ZUBtaWdodHllLm9yZzELMAkGA1UEBhMCVVMxCzAJ
BgNVBAgTAlBBMRUwEwYDVQQHEwxDb2xsZWdldmlsbGUxHTAbBgNVBAoTFE9keXNzZXkgRGVz
aWduIEdyb3VwMRUwEwYDVQQDEwxFcmljIFN0ZXZlbnMwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDVjnm0+doLjOGNjCHaTNyoZgENvUO861jhf9r5gyF4NQux99rDeX/DtApI
nMpgCs8CkFXAJhU5Gh/CfxPIvgfoQKDrneN4AYmw6KBKnLCgdD63QTAVmiMEhtEd7L9RMR2F
M3j7osbbD/H8DvoRlf0Wtm9MxwnsEcDPEUjj4J7hZ/GJwE05TDr5RIsddTOW13Iirn9p9TjL
id+5boWJZDxW8tSchcLGhyf4bnDA7hUNFPFDIvu+uvzVrfexJdcLCEuJW6vsqE6Y0HURxvAl
HAoyZVm5MXJ4n9bIZHBhWpj/x+d69mMm1YnA2qnMuPF8u8SryQ4iT1AY+Ui8lzlUvtOjAgMB
AAGjggHiMIIB3jAdBgNVHQ4EFgQUaghbnjZaKbkaJQz/4INoprxezokwfwYDVR0jBHgwdoAU
kEdBrmeeKKH2WLzsiNOUIg+iMx+hTKRKMEgxCzAJBgNVBAYTAlVTMR0wGwYDVQQKExRPZHlz
c2V5IERlc2lnbiBHcm91cDEaMBgGA1UEAxMRT2R5c3NleSBDQSBTZXJ2ZXKCECRV1T0RvaCJ
TSHCQ8fWJX0wgYgGA1UdHwSBgDB+MDygOqA4hjZodHRwOi8vb2R5c3NleXN2Mi9DZXJ0RW5y
b2xsL09keXNzZXklMjBDQSUyMFNlcnZlci5jcmwwPqA8oDqGOGZpbGU6Ly9cXG9keXNzZXlz
djJcQ2VydEVucm9sbFxPZHlzc2V5JTIwQ0ElMjBTZXJ2ZXIuY3JsMIGwBggrBgEFBQcBAQSB
ozCBoDBNBggrBgEFBQcwAoZBaHR0cDovL29keXNzZXlzdjIvQ2VydEVucm9sbC9vZHlzc2V5
c3YyX09keXNzZXklMjBDQSUyMFNlcnZlci5jcnQwTwYIKwYBBQUHMAKGQ2ZpbGU6Ly9cXG9k
eXNzZXlzdjJcQ2VydEVucm9sbFxvZHlzc2V5c3YyX09keXNzZXklMjBDQSUyMFNlcnZlci5j
cnQwDQYJKoZIhvcNAQEFBQADQQAoQyFa7UZJ5pDPBDRPnrmixTrI62MhRJ7eQoo1PB/vOuZh
twjZ3FpAz3L1m+Z0Fq6XGcKU7dmjiMQVj+PkJGnlMYIDAjCCAv4CAQEwVjBIMQswCQYDVQQG
EwJVUzEdMBsGA1UEChMUT2R5c3NleSBEZXNpZ24gR3JvdXAxGjAYBgNVBAMTEU9keXNzZXkg
Q0EgU2VydmVyAgoRIAkfAAAAAAAEMAkGBSsOAwIaBQCgggGBMBgGCSqGSIb3DQEJAzELBgkq
hkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTAzMDMwMzEzMTcxMlowIwYJKoZIhvcNAQkEMRYE
FMFOXtdnJx9MxJnFgc4VYQ2qn1CMMFIGCSqGSIb3DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYI
KoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMGUG
CSsGAQQBgjcQBDFYMFYwSDELMAkGA1UEBhMCVVMxHTAbBgNVBAoTFE9keXNzZXkgRGVzaWdu
IEdyb3VwMRowGAYDVQQDExFPZHlzc2V5IENBIFNlcnZlcgIKESAJHwAAAAAABDBnBgsqhkiG
9w0BCRACCzFYoFYwSDELMAkGA1UEBhMCVVMxHTAbBgNVBAoTFE9keXNzZXkgRGVzaWduIEdy
b3VwMRowGAYDVQQDExFPZHlzc2V5IENBIFNlcnZlcgIKESAJHwAAAAAABDANBgkqhkiG9w0B
AQEFAASCAQBW9OIZt1axYUA1bJ6gJqtbiKZrqA0iOV5RrAskBdQzuFS2MbGHo0o4qddSo3xv
JfdKF39buT86xAx2EORk3g/LN6jYXM2niDUlkcXqdQceWGFjVnjcqG7d180QqJLXukcq4paL
EvhB5kisOMIhyaPPXU6lWIBs8xbpK86G0xAkrwKgYQqL62LgDoxxVv5vUp66yuvJfwfgQ3mH
FXPliVuyE3czzOjtU5cWr26O6JlGkPCp7F56SAnuaROyhEI6lCF6eO0J6ayq/npSN9Yd2ikW
DRT0+9n75LSdg/L1QKBjbBsuclPDmFvJYZQ1BzxWeLUXKuZdjnnACevjYRc6pfG6AAAAAAAA
--------------ms090005000006050806010707--
