|
Posted by S. Pidgorny on July 21, 2008, 6:18 am
If you were Registered and logged in, you could reply and use other advanced thread options
G'day:
"Stefan Kanthak"
wrote in message
> So you won't see a problem if the login dialog/screen prints the users
> password too?
> Or any other dialog, for example in Outlook, Outlook Express, Windows
> Mail, ..., where a "remembered" password can be used?
Not really. I find hiding my passwords from me very inconvenient at times.
Especially in case when it gets stored and transmitted to the destination in
clear - then it doesn't make sense at all.
>>> 2. Think of a shared computer in a public place.
>>
>> It's not secure by definition, therefore mustn't be used by acessing
>> supposedly protected, personal information, via ftp or toherwise.
>
> The emphasis lies on THINK.
> Please contruct another more appropriate example yourself, say: you
> help your neighbor with his/her computer and login to one of yours
> from said neighbors computer. Shall that password be displayed to
> you neighbor?
I avoid situations like that. Not by not helping those in need.
Kindly don't assume that your way of thinking is the only right one.
Printing in all capitals doesn't really prove anything.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
* http://sl.mvps.org * http://msmvps.com/blogs/sp *
|
|
Posted by Shenan Stanley on July 19, 2008, 3:40 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Brian Knittel wrote:
> If you use Windows Explorer to open an FTP site that requires a
> password, Explorer may display the password in clear text in the
> future through the autocomplete feature in Explorer's Address bar.
> I've tried this on one XP SP3 machine and the password DOES appear,
> but on another XP SP3 machine only the username appears. Steps to
> reproduce:
> 1. Open Windows Explorer and if necessary enable the display of the
> Address bar
>
> 2. In the Address bar, enter the URI of an FTP server that does not
> permit anonymous access and on which you have an account, e.g.
> ftp://host.domain.com/myfolder
>
> 3. Windows Explorer will prompt you for a username and password,
> and then will display the folder contents
>
> 4. Close Windows Explorer, then open Windows Explorer again.
>
> 5. In the Address bar, type ftp:
>
> At this point autocomplete should kick in and display the URI with
> at least your username and maybe the password displayed in clear
> text, e.g.
> ftp://username:password@host.domain.com/somefolder
>
> The version with the username and password don't appear in the
> Address bar's MRU dropdown, but just in prompts popped up by
> autocomplete. The password does not seem to appear in plaintext in
> the Registry.
> As I said, have one machine that reliably shows the password, and
> another that doesn't.
>
> Does anyone else find that the password is displayed?
>
> (No need to discuss the insecurity of FTP itself--that's not the
> issue here. This is about the potential for exposing previously
> used passwords on the desktop)
Actually - I would say that the last paragraph/disclaimer is the issue.
FTP is a basic transfer method - old (should be obsolete in my opinion - and
is in many places) and natively insecure. If you are using ftp to transfer
anything - I would consider that an unwise decision and would not expect
anything you use to make the natively insecure protocol any better for you
and thus - the best alternative IMHO - is to just find a better method of
file transfer. (Unless you are just grabbing files you feel okay with being
transferred in such an open method.)
As for the other responder - if you are foolhardy enough to go to a public
computer and log into a private FTP site using Internet Explorer and
download something - I am without words to express ... I mean - wow. I
know - not everyone may be aware how insecure FTP is - but - those people
probably aren't using FTP anyway. (I agree with point (1) of yours, BTW -
although that is more a function of the way the information gets passed to
the site than the browser - as well as the browser cache settings, etc. In
the case of old/obsolete FTP, that way is insecure and horrible all the way
down the line.)
--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html
|
|
Posted by Stefan Kanthak on July 19, 2008, 5:54 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> As for the other responder - if you are foolhardy enough to go to a public
> computer and log into a private FTP site using Internet Explorer and
> download something - I am without words to express ... I mean - wow.
*I* am no *such* fool, and I've noticed the "dislaimer" of Brian very well.
The point is NOT the FTP protocol, it's IE that discards one of the main
principles in handling credentials: NEVER EVER display a password in clear,
neither when input nor when prepopulating an input field with a stored one.
> I
> know - not everyone may be aware how insecure FTP is - but - those people
> probably aren't using FTP anyway.
The same people but might very well use POP3 or IMAP or SMTP (without SSL,
TLS, APOP etc.) on a public computer and send their credentials in cleartext.
Or they might use their laptop, connected to a public WLAN, and do the same.
I bet that *many* PC user's can't tell whether their email provider allows
SSL/TLS and whether their computer or laptop is configured to use encryption
on the wire to access their mailbox.
> (I agree with point (1) of yours, BTW -
> although that is more a function of the way the information gets passed to
> the site than the browser - as well as the browser cache settings, etc. In
> the case of old/obsolete FTP, that way is insecure and horrible all the way
> down the line.)
regards
Stefan
|
|
Posted by Brian Knittel on July 19, 2008, 5:31 pm
If you were Registered and logged in, you could reply and use other advanced thread options
password in clear text, no matter what, and I have observed Windows doing
just that.
Has anyone else observed this behavior following the steps I outlined?
Please add this additional step:
When you are viewing the remote FTP directory using Windows Explorer,
drag a file from the FTP directory onto your desktop. Then, close Explorer,
reopen it, and type ftp:// into the Address window. (I just noticed that
the
passwords I see are all on URIs that have filenames)
Could you please test this, and if you have a positive result (that is, you
see the password), please post a response. It would help if you noted your
version of Windows and Service Pack level.
Or, if you have a negative result, that is, you drag a file to your desktop,
and the next time you open Explorer and type ftp:// into the Address bar you
DO NOT see the password, please also post a response, if others haven't
already done so for your particular version+SP level of Windows.
Please, in the interest of keeping on topic, let's just focus on this one
behavior, and save discussions of network protocol security, public
computers and the like for another day.
|
|
Posted by Shenan Stanley on July 19, 2008, 9:13 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> Stefan got the point: a computer should never display a previously
> entered password in clear text, no matter what, and I have observed
> Windows doing just that.
>
> Has anyone else observed this behavior following the steps I
> outlined?
> Please add this additional step:
>
> When you are viewing the remote FTP directory using Windows
> Explorer, drag a file from the FTP directory onto your desktop. Then,
> close
> Explorer, reopen it, and type ftp:// into the Address window. (I
> just noticed that the
> passwords I see are all on URIs that have filenames)
>
> Could you please test this, and if you have a positive result (that
> is, you see the password), please post a response. It would help if
> you noted your version of Windows and Service Pack level.
>
> Or, if you have a negative result, that is, you drag a file to your
> desktop, and the next time you open Explorer and type ftp:// into
> the Address bar you DO NOT see the password, please also post a
> response, if others haven't already done so for your particular
> version+SP level of Windows.
> Please, in the interest of keeping on topic, let's just focus on
> this one behavior, and save discussions of network protocol
> security, public computers and the like for another day.
I *know* it happens - because it's been doing that for years.
IE4, IE5, IE6 and I bet IE7.
It is not like this discussion is new. ;-)
Maybe where the password is displayed is (maybe) - but I am sure it has to
do with 'how the browser has to pass the credentials...' - so it may be a
direct result of the protocol rules of passing things in clear/plain text.
Internet Explorer 5, Netscape 4.61 Reveal FTP User Names and Passwords
http://www.astonisher.com/archives/bugnet/alerts/bugalert_81199.html
(1999)
Internet Explorer discloses FTP access credentials
http://www.heise-online.co.uk/security/Internet-Explorer-discloses-FTP-access-credentials--/news/94349
(2007)
Internet Explorer and Your Web Site's Privacy
http://blog.washingtonpost.com/securityfix/2007/08/ftp_files_expose_web_site_cred.html
(2007)
How to Enter FTP Site Password in Internet Explorer
http://support.microsoft.com/kb/135975
(OLD - since it mentioned Windows 95/98 - but last updated in 2007)
"NOTE: The user name and password you enter in the Login As dialog box are
passed through as plain text and may be displayed in the Internet Explorer
title bar or status bar while you are connected to the site.
Note that this is not a secure method of logging on, as the password is
viewable in plain text. If you require additional security, use the FTP
client (Ftp.exe) that is included in your version of Windows 95 or Windows
98."
Does FireFox do it?
Opera?
Any other browsers?
Or do some browsers not even do FTP because of the weak security and how
they would have to pass the username/password?
--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html
|
| Similar Threads | Posted | | Should "windows explorer" be in firewall as a security alert | May 27, 2005, 10:03 am |
| Using windows explorer 7 e-mails won't display graphics or web lin | September 6, 2006, 4:29 pm |
| domain tree view in windows explorer | December 4, 2006, 10:27 am |
| explorer opens on startup, C:\WINDOWS\SYSTEM32 | June 5, 2007, 2:36 pm |
| Windows Internet Explorer 7 beta - Security Warnings | June 2, 2006, 11:50 am |
| Can we "stored user names and passwords" in Windows XP Home Edition? | December 16, 2005, 5:57 am |
| The Microsoft Internet Explorer Weblog The Microsoft Internet Explorer Weblog IEBlog | June 4, 2007, 5:52 pm |
| explorer.exe..??? | June 27, 2005, 6:58 pm |
| IE Explorer | November 7, 2005, 6:06 am |
| Internet Explorer 6 | September 28, 2006, 6:09 pm |
|
XML site map