[Developers] SECURITY: trivial reveal of stored passwords
Daniel M. Zimmerman
dmz+lists at tffenterprises.com
Wed Aug 22 02:40:37 CEST 2007
--On 21 August 2007 16:42:16 -0700 Eric Hodel <drbrain at segment7.net> wrote:
> I can confirm it.
>
> Some other malicious or exploited executable could harvest your SSH
> keychain passwords and keys and send them over the web without your
> knowledge.
Well, yes, that's exactly what I said:
"However, I don't see this as necessarily a serious problem, since one has
to either run a malicious piece of software other than SSHKeychain or have
an already-compromised system or user account in order to trigger it."
However, what would concern me would be if malicious websites/emails/IMs
could convince _non-malicious_ browsers/email clients/IM clients to get the
passwords from SSHKeychain and send them out. If you postulate that I
already have a malicious executable on my system, or a compromised user
account, the game is already over security-wise in any event.
That's not to say that this isn't a problem that should be fixed; it
definitely should be, if it can be. I just don't think it's a "sky is
falling" sort of issue.
-Dan
------------------------------------------------------------------
Daniel M. Zimmerman TFF Enterprises
1900 Commerce St. Box 358426 http://www.tffenterprises.com/~dmz/
Tacoma, WA 98402 USA dmz at tffenterprises.com
More information about the developers
mailing list