[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kmail-devel
Subject:    Re: Saving of passwords (Was: Security status)
From:       Waldo Bastian <bastian () suse ! de>
Date:       2000-02-07 12:37:49
[Download RAW message or body]

On Mon, 07 Feb 2000, George Staikos wrote:
> > > Not to mention that most of them will be using POP3 and sending
> > > their password cleartext over the network anyways.
> >
> > That is no reason to create additional security weaknesses.
>
>   We aren't creating an additional security weakness though.  I don't
> see it being any more or less secure by putting it in a different
> file.  Just more of a pain.

By pulling sensitive data out of the config file and into a seperate 
file it is easier to give this file the right permissions.

> > > We're just adding
> > > more security through obscurity, really.
> >
> > Scrambling the password to make it "non-plaintext" falls in the
> > category "security through obscurrity". Ensuring correct
> > file-permissions on sensitive data is a sane way to build a secure
> > system.
>
>    Correct and this should be on the homedirectory and the .kde
> directory.

Bullshit. Not everything in my home / .kde directory needs to be 
inaccesible just because a mail-program is too lazy to set correct 
file-permissions.

That's like setting /etc to 0700 because you don't want to set 
/etc/shadow to 0600. 

Cheers,
Waldo

[prev in list] [next in list] [prev in thread] [next in thread]