On 30.08.21 03:38, Barry wrote:


On 26 Aug 2021, at 11:30, Stefan Sperling <s...@elego.de> wrote:

I think this may still be better than the alternative where configuration
files can be tweaked to trick Alice into unknowingly saving her password
in plaintext while running regular SVN operations. Having 'svn auth' be
the only command which would write a plaintext password does provide some
protection in this scenario, regardless of whether credentials are checked
against the server before they get cached.

A person who can trick Alice to save plaintext passwords by changing her config file can also trick her to run something else instead of svn or maybe also log key presses, take screenshots, turn on the camera and a lot more.

The evil maid simply gets the plain text of the passwords by asking key ring 
for them.
That works today with plaintext disabled.

Only in the case of a stolen machine is plaintext on disk a problem.
And that assumes that you did not use full disk encryption.

Barry

Or in the case of an attacker getting remote access to a machine. Thanks for mentioning that. Another problem I saw with some password stores is, that they sometimes insisted on opening a window asking for a passphrase. Local this is just annoying, remote there is a (small) chance that the window is presented to somebody else. I'm not sure if his has been fixed since I just disabled all password stores.

I would prefer it if it stayed the way it was before, just tell the users when a password is saved as plaintext.

An option which could work for everybody is to move the plaintext password storage code also to a library libsvn_auth_plaintext.so like it is done with the other providers. If people feel it is not enough to remove it from the "password-stores" config they could also delete that library.

Martin

Reply via email to