[Developers] SECURITY: trivial reveal of stored passwords
Jay
sshkeychain at lindalane.com
Thu Aug 23 04:18:08 CEST 2007
On Aug 23, 2007, at 12:39 AM, Eric Warnke wrote:
> I understand you confusion. Security topics are often difficult to
> pin down.
>
> You example is not correct because Mail.app does not give any
> application the password that asks for it, it ONLY sends it over the
> wire to your mail sever ( using SSL I hope ). In this way Mail.app
> has asked for the password from the keychain and used it in the manner
> that I expected it to. If you attempted to change out Mail.app
> keychain would notice and prompt you, and running tcpdump requires
> root access or control of the network ( non trivial ).
>
> The fact that SSHKeychain will divulge those same password in a way
> that is clearly unintended and trivial to implement is a bug and a
> security concern.
That clarifies things for me. thank you.
More information about the developers
mailing list