----- Original Message ----- From: "Nicolas Pouvesle" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Monday, March 07, 2005 8:32 PM
Subject: Re: Nessus wx-1.4.5a communication protocol tracer password revelation
On Mar 7, 2005, at 8:00 PM, Kevin Davis wrote:
Why can't all the config files have the credentials encrypted? (This includes NeWT the last time I checked too). If the application is storing the credentials, it should at least partially responsible for protecting them. At bare minimum it should be spelled out plainly to anyone who may use it that their credentials are being stored locally in plaintext.
Because it is just useless. All locally encrypted credentials files can be easily decrypted because encryption key is in the soft (easy to got when open source and not so hard when closed source).
The only way is to provide a password each time you want to use nessus client.
Other scanners like ISS keep locally encrypted credentials (they have a related unresolved issue in their GUI, though). I know of a couple organizations that are not able to use Nessus (but would like to) because their security policy prohibits the use of any application that stores credentials in plaintext.
Sure, it is really hard to use home/file access rights under unix. Sometimes you can even use encrypted home folder ....
For unix nessus client you can protect it easily if you really want to protect/encrypt it.
For windows (NessusWX) maybe one day something will be done, if I find time.
Nicolas
_______________________________________________
Nessus mailing list
[email protected]
http://mail.nessus.org/mailman/listinfo/nessus
_______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
