Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Password is transferred between client and agent via an insecure channel #1

Closed
dmurvihill opened this issue Jul 18, 2014 · 1 comment
Closed

Password is transferred between client and agent via an insecure channel #1

dmurvihill opened this issue Jul 18, 2014 · 1 comment

Comments

@dmurvihill
Copy link

Currently, the client instructs pwsafe to write extracted passwords to a temporary file, which the client then reads, puts, and unlinks. In the interval between the agent writing the file and the client reading it, any user with read access to that file can acquire the user's password. Moreover, upon use the file is simply unlinked from the filesystem, not properly erased, meaning any agent that can read the underlying disk still has access to the file until it is overwritten by something else. Both of these behaviors violate security goals of Password Safe, which does not have to trust the file system or disk. pwsafe-agent has to find a different way to receive the password in order to be a viable security tool.
@freegenie
Copy link
Owner

Thanks a lot for your review. This was actually toy-project I started years ago. I'll put a disclaimer on the README file to warn it's an unsafe tool.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@freegenie @dmurvihill