a user security hole in mindterm's ssh 2 applet
Andersson, Mats
mats.andersson@appgate.com
Thu, 19 Sep 2002 11:52:05 +0200 (CEST)
On 18 Sep 2002, Adler, Stephen wrote:
> discovered a rather ugly user enabled security hole in the mindterm
>
> the "save password" option, then not enter in a password to password
This is actually a "feature", it means that if you save your passwords
et.c. without encrypting it (i.e. no passphrase given), it's going to save
it unencrypted (so it can be retrieved without user intervention).
> to find a way to close this hole, either by setting up some way of
> disabling the saving of passwords, or forcing the user to enter in a
> password to encrypt the local password file.
Saving passwords is disabled by default. Entering an empty passphrase
should perhaps warn people what it implicates to do that. You might also
have a point in the need for a special setting which entirely disables the
option to use it too (or something forcing a passphrase and hence
encryption).
I wouldn't consider this a very grave security-issue though, even a normal
user probably understands that he shouldn't enable saving passwords on a
computer that anybody can access freely (even when giving a passphrase to
encrypt it).
Cheers,
/Mats